App Connect

App Connect

Join this online user group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

2-way SSL communication using the HTTP input node in IBM App Connect for CP4I

By UMA KORUKONDA posted Mon July 03, 2023 02:12 PM

  

Co-author - Ajay Ponnappan


This blog summarises how to implement 2-way SSL using the IBM App Connect HTTP input node in IBM Cloud Pak for Integration and invoke the HTTP application from the browser. 


Note: We used IBM App Connect Enterprise operator version 5.1.0 for this scenario, however the same steps should work on other IBM App Connect Enterprise operator versions too.

Introduction

One-way SSL / Server Certificate Authentication

In one-way SSL authentication (Server Certificate Authentication), only the client validates the server; the server does not verify the client application. When implementing one-way SSL authentication, the server application shares its public certificate with the client.

Two-way SSL / Server-Client Certificate Authentication

In two-way SSL authentication, the client application verifies the identity of the server application, and then the server application verifies the identity of the client application. Both parties share their public certificates, and then validation is performed. Two-way SSL authentication works with a mutual handshake by exchanging the certificates. You can also authenticate through a username or Common Name injection.

Steps to configure 2-way SSL in App Connect Enterprise in CP4I

This involves three steps.

  1. Creation of keys.
  2. Creation of a message flow in an application using the standalone App Connect Enterprise toolkit and exporting it to a BAR file.
  3. Importing the BAR file to App Connect Enterprise on CP4I, completing various configurations and executing the flow.

1. Creating KeyStore and TrustStore

  1. Client-Side configuration:

    Using iKeyman or any other key creation tool, create a KeyStore in PCKS12 format and create a self-signed personal certificate.


    Click on “New Self-Signed” and create a certificate as shown below.


    Extract this certificate and save it.

    Now create a Truststore in PKCS12 format and add the extracted certificate from the above step in Signer Certificates.

    Give it a label.



    Click on OK.

  2. Server-side configuration: Using iKeyman or any other key creation tool, create a KeyStore in PCKS12 format and create a self-signed personal certificate.

    Please refer to the blog, Securing a REST-based integration in IBM App Connect

2. Message Flow creation

We will create an application that has a flow with HTTP Input -> Compute Node -> HTTP Reply using the App Connect Enterprise Toolkit and then deploy the BAR to CP4I.

Make sure you tick the check box for property “Use HTTPS” in the Basic properties of the HTTP Input Node.

In Compute Node, add the below line in the Main function.

set OutputRoot.XML.Text = “Hello World”;

After creating the application, create a BAR file having this message flow.

3. CP4I Configuration

Create the below files. 

  1. Create https-setdbparms.txt with following data.

    local::basicAuthOverride aceuser changeit brokerKeystore::password ignore changeit brokerTruststore::password aceuser passw0rd

  2. Create server.conf.yaml file and add the below contents.

    serverConfVersion: 1
    forceServerHTTPS: true
    ResourceManagers:
    HTTPSConnector: 
        KeystoreFile: '/home/aceuser/keystores/https-keystore.p12'
        KeystoreType: 'PKCS12'
        KeystorePassword: 'brokerKeystore::password'
        ReqClientAuth: true 
        TruststoreFile: '/home/aceuser/truststores/CP4Itruststore.p12'
        TruststoreType: 'PKCS12'
        TruststorePassword: brokerTruststore::password '


From your App Connect Dashboard instance, click the Dashboard icon in the navigation pane. 

  • On the Servers page, click Create server
  • Choose Quick start integration as the type of integration and click Next.
  • Upload the BAR file you created in Step 2 that you want to deploy and click Next.
  • From the Configuration view, use the Create configuration button to create each of the following configurations in turn, ensuring the names are as given:
    1. Select server.conf.yaml as the type and upload the server.conf.yaml file. Name the configuration https-server.conf.yaml.
    2. Select https-setdbparms.txt as the type and upload the https-setdbparms.txt file. Name the configuration https-setdbparms.txt
    3. Select Keystore as the type and upload the https-keystore.p12 file. Name the configuration https-keystore.p12. It is important that you set the name to https-keystore.p12 because the https-server.conf.yaml file contains a reference to that name.
    4. Select Truststore as the type and upload CP4Itruststore.p12 file. Name the configuration as CP4Itruststore.p12.

Select all the new configurations that you created and then click Next.

Give the name of the Integration Server as ‘CP4I2wayssl’.

Set the application transport for the integration endpoint to https.

Click Create. The integration server should start and expose the HTTPS input.

Go to Networking ->Routes->Select the Project ->Find your correct route. For example here CP4I2wayssl-https and click on the URL in the location. It opens the URL in browser.

Append the URL with the URI provided in the HTTP input node.

For example: https://CP4I2wayssl-https-ace-uma-kafka.apps.ace-CP4I-l3.cp.fyre.ibm.com/helloworld

It will ask to import the certificate. You need to import the certificate that you extracted from the client trust store in step 1 into the browser. 

For this, open the Browser settings -> Privacy & Security -> Security -> Certificates -> View Certificates -> Import


Click on import and browse for the certificate.


And then invoke the URL by trusting the certificate.

0 comments
39 views

Permalink

https://community.ibm.com/community/user/blogs/uma-korukonda/2023/07/03/2-way-ssl-communication-using-the-http-input-node