Implement 2-Way SSL for Rest integration.
Hi Team,
One of our client wish to implement 2-way SSL for rest integration. PRPC (V 7.1.6 and Apache tomcat V 7.0.42) acts as client and external system acts as service provider.
Based on my understanding,
Client trust store should contain service provider digital certificate and client should give its certificate to service provider.
Q1) How to get the digital certificate of the service provider?
Q2) How to install the obtained digital certificate to application server and trust store?
Q3) where can we locate the digital certificate of PEGA that should be supplied to the service provider?
Q4) since connect-rest rule form (V7.1.6) doesn’t provide options for trust store and keystore, is it possible to implement 2-Way SSL? If so, what are the configuration changes required in PEGA and in Application server?
Thanks in advance.
Regards,
Satish
Pegasystems Inc.
US
Hi, I can try to answer some of these questions, but I suggest that you read some tomcat and java documentation on being a 2-way SSL client, as there are many facets to configuring this correctly.
- The certificate of the service provider is likely signed by a 3rd party Certificate Authority. It would be best to find out what that certificate authority is, and obtain their certificate rather than the service provider's certificate. For example, the certificate for https://www.google.com is declared trustworthy by GeoTrust Global CA, so having the GeoTrust Global CA certificate in the trust store is sufficient. Most versions of java come with a default 'cacerts' trust store, which is pre-loaded with certificates for popular 3rd party Certificate Authorities, so you may not have to do anything to the trust store.
- The easiest way to add a trusted CA certificate is to just add it to the java trust store. This is likely the 'cacerts' trust store at your java install location.
- In general, the client certificate needs to be generated by or created in collaboration with the service provider. I cannot offer any specific instructions on how to do that as it varies by service provider.
- Two-way SSL should work despite the lack of keystore/truststore fields, as long as you have correctly set up java and tomcat to be a 2-way SSL client to the service. Pega will leverage the java settings when attempting the SSL handshake.
Optus
AU
Hi,
Your response helped a lot. After all these configuration, when I try to consume the rest service from client system getting “Peer not authenticated” exception.
Since PEGA is hosted on cloud, we are building a POC to implement two way SSL for rest integration. Here are details (both client and server are hosted on tomcat with PEGA V7.1.9),
1. Generated key store file using the below command.
keytool -genkey -alias tomcat -keyalg RSA -keystore /opt/pushservice.jks
2. We used the same file for key store and trust store for both the client and server.
3. Server side configuration. (server.xml)
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS"
keystoreFile="/opt/pushservice.jks"
keystorePass="tomcat"
truststoreFile="/opt/pushservice.jks"
truststorePass="tomcat"
keyAlias="pushservice" />
4. Built a rest service in server, converted “pushservice.jks” to “pushservcie.p12” and installed in personal certificates in Firefox browser.
Hi,
Your response helped a lot. After all these configuration, when I try to consume the rest service from client system getting “Peer not authenticated” exception.
Since PEGA is hosted on cloud, we are building a POC to implement two way SSL for rest integration. Here are details (both client and server are hosted on tomcat with PEGA V7.1.9),
1. Generated key store file using the below command.
keytool -genkey -alias tomcat -keyalg RSA -keystore /opt/pushservice.jks
2. We used the same file for key store and trust store for both the client and server.
3. Server side configuration. (server.xml)
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS"
keystoreFile="/opt/pushservice.jks"
keystorePass="tomcat"
truststoreFile="/opt/pushservice.jks"
truststorePass="tomcat"
keyAlias="pushservice" />
4. Built a rest service in server, converted “pushservice.jks” to “pushservcie.p12” and installed in personal certificates in Firefox browser.
5. I can successfully access the rest o/p from browser.
6. Certificate from browser. (Server)
7. Client side configuration (Server.xml)
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/opt/pushservice.jks"
keystorePass="tomcat"
truststoreFile="/opt/pushservice.jks"
truststorePass="tomcat" />
8. Client can be accessed from Firefox browser (with https) without any issue.
9. When try to consume the rest service from client “Peer not authenticated” exception is occurring.
“javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:431)
at com.pega.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
at com.pega.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:398)
at com.pega.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:496)
at com.pega.apache.http.conn.scheme.SchemeSocketFactoryAdaptor.connectSocket(SchemeSocketFactoryAdaptor.java:62)
at com.pega.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:148)
at com.pega.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:149)
at com.pega.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:121)
at com.pega.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:573)
at com.pega.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:425)
at com.pega.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:825)
at com.pega.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:759)
at com.pegarules.generated.activity.ra_action_pyinvokerestconnector_28ccb2185309b8c9c6d59a05ed51acae.step5_circum0(ra_action_pyinvokerestconnector_28ccb2185309b8c9c6d59a05ed51acae.java:1185) ”
10. Tried overriding key store and trust store in connect-rest rule but no luck. The same exception is generated again.
Please guide me to solve the issue.
More info:
1. According to this article, need to restart the JVM. How to restart the JVM in Linux OS.
2. Is there any way to check for certificates in the request / response in rest intergration?
Thanks in advance.