-
Create the keys and certificates for ExampleServer App, ExampleClient App and Testing Tool
I have used openssl to create public certificates and encrypted private keys. When you are execute the commands, you will be prompted to enter a password to secure private key. Note down these passwords as you will need them later in this recipe. For simplicity, I have used the same password for all keys, truststores and keystores.
Key and certificates for ExampleServer App:
openssl req -newkey rsa:2048 -keyout keystore-ExampleServer.key -x509 -days 365 -out keystore-ExampleServer.crt \
-subj "/C=IN/ST=Karnataka/L=Bengaluru/O=IBM/OU=ISL/CN=exampleserver-https-ace.apps.kanand.os.fyre.ibm.com"
Key and certificates for ExampleClient App:
openssl req -newkey rsa:2048 -keyout keystore-ExampleClient.key -x509 -days 365 -out keystore-ExampleClient.crt \
-subj "/C=IN/ST=Karnataka/L=Bengaluru/O=IBM/OU=ISL/CN=exampleclient-https-ace.apps.kanand.os.fyre.ibm.com"
Key and certificates for Testing tool:
openssl req -newkey rsa:2048 -keyout keystore-TestTool.key -x509 -days 365 -out keystore-TestTool.crt \
-subj "/C=IN/ST=Karnataka/L=Bengaluru/O=IBM/OU=ISL/CN=testtool"
Sample output:
After executing all 3 commands, you should have 3 sets of keys and certificates ready to use.
- keystore-ExampleServer.key
- keystore-ExampleServer.crt
- keystore-ExampleClient.key
- keystore-ExampleClient.crt
- keystore-TestTool.key
- keystore-TestTool.crt
-
Download configuration files and "generateSecrets.sh" script
You have two ways to do this.
- Download from github
https://github.com/IBM/charts/tree/master/stable/ibm-ace-server-dev/ibm_cloud_pak/pak_extensions/pre-install
- Download from App Connect Dashboard
Note: The generateSecrets.sh script from github is slightly different from the one downloaded from App Connect Dashboard. The latter uses hardcoded alias “-mykey” in the script. I personally prefer the one from github. For this recipe, I have used to the config files and script from App Connect Dashboard.
Download the configuration files from App Connnect Dashboard:
- Login to the App Connect Dashboard through Platform Navigator on CP4I.
- Click on “Create Server”, you will be prompted to add a bar file or choose an existing bar file. Choose whatever option works for you as we just need to get to the next screen and cancel the process.
- On the next screen click on “Download configuration package” and save “config.tar.gz” to your local disk. Click on Cancel.
Configure TLS for ExampleServer application
Lets first prepare configuration files and create ACE configuration secret for ACE server where ExampleServer app will be deployed.
- Untar “config.tar.gz” to a folder “config-ExampleServer”. By examining the contents you will see files with “-mykey” suffixes; this is used as the default alias keywords. For this recipe, I have used my own aliases to show you how it works.
- Copy files following files created in Step 2 to the “config-ExampleServer” folder
– keystore-ExampleServer.key
– keystore-ExampleServer.crt
– keystore-ExampleClient.crt ( Rename file to truststoreCert-ExampleClient.crt )
– keystore-TestTool.crt (Rename file to truststoreCert-TestTool.crt)
Although renaming ExampleClient and TestTool’s crt files is not necessary, it is done for easier maintenance in the future.
Edit configuration files:
1. Rename “serverconf.yaml” to “server.conf.yaml” as generateSecrets.sh script refers to the latter.
2. Edit “server.conf.yaml” file and add the following lines complying with the yaml format. Enabling jvmDebugPort is optional and recommended only for DEV environments.
3. Edit “setdbparams.txt” and add the following lines. These will be used for running mqsisetdbparms at the time of container creation.
ace-server::keystorePass dummy p@ssw0rd
ace-server::truststorePass dummy p@ssw0rd
4. Create a new file “keystore-ExampleServer.pass” and add the password for decrypting “keystore-ExampleServer.key”
5. Edit “keystorePassword.txt” and add password for keystore.jks file to be created.
6. Edit “truststorePassword.txt” and add password for truststore.jks file to be created.
7. Finally, edit “generateSecrets.sh” file and add the following lines of script anywhere after line 18 (SECRET_ARGS=). If you have used different key and certificate aliases, you might have to update accordingly
# Start of changes
if [ -s ./keystore-ExampleServer.key ]; then
SECRET_ARGS="${SECRET_ARGS} --from-file=keystoreKey-ExampleServer=./keystore-ExampleServer.key"
else
SECRET_ARGS="${SECRET_ARGS} --from-literal=keystoreKey-ExampleServer="
fi
if [ -s ./keystore-ExampleServer.crt ]; then
SECRET_ARGS="${SECRET_ARGS} --from-file=keystoreCert-ExampleServer=./keystore-ExampleServer.crt"
else
SECRET_ARGS="${SECRET_ARGS} --from-literal=keystoreCert-ExampleServer="
fi
if [ -s ./keystore-ExampleServer.pass ]; then
SECRET_ARGS="${SECRET_ARGS} --from-file=keystorePass-ExampleServer=./keystore-ExampleServer.pass"
else
SECRET_ARGS="${SECRET_ARGS} --from-literal=keystorePass-ExampleServer="
fi
if [ -s ./truststoreCert-ExampleClient.crt ]; then
SECRET_ARGS="${SECRET_ARGS} --from-file=truststoreCert-ExampleClient=./truststoreCert-ExampleClient.crt"
else
SECRET_ARGS="${SECRET_ARGS} --from-literal=truststoreCert-ExampleClient="
fi
if [ -s ./truststoreCert-TestTool.crt ]; then
SECRET_ARGS="${SECRET_ARGS} --from-file=truststoreCert-TestTool=./truststoreCert-TestTool.crt"
else
SECRET_ARGS="${SECRET_ARGS} --from-literal=truststoreCert-TestTool="
fi
# End of changes
You are now ready to create the ACE configuration secret.
8. To create a secret “example-server”, first perform oc login and switch to the project where you intend to deploy the ACE server. I have used the default “ace” namespace. Issue the command –
./generateSecrets.sh example-server
9. Examine the secret by describing it and checking if all the files you wanted to add are listed in the Data section. Any artifact you intended to create should have a size greater than 0 bytes.
You are now ready to create an Integration Server.
10. I am using the ExampleServer Application from the HTTPS tutorial on the ACE toolkit. You may use the bar file bundled in the project.
11. Login to App Connect Dashboard, click on “Create Server” and upload the bar file you want to deploy. If already uploaded, you may choose it from the drop down and click on “Continue” and “Next” on the following page. When prompted for type of integration choose “Toolkit” and click “Next”.
12. On the helm chart UI page, provide a helm release name and configure all essential parameters for deployment. Under the “Integration Server” section provide the secret we created in step 8 and Key and Certificate aliases we used while creating the certificates and keys. Click on “Create” to start deployment.
13. Verify if deployment is successful. Pods must be in Running status.
14. Get routes for your freshly deployed ACE server by issuing “oc get routes” command.
15. To test this deployment with Postman tool, configure the SSL setting to following ( Settings -> Certificates -> Add Certificate )
16. Invoke the https URL to get a successful response:
You have now successfully configured mutual TLS on a HTTPS service deployed on ACE container.
-
Configure PKI for ExampleClient application
If you have gone through the previous section, you will find a lot of common steps here, but with subtle changes.
Lets prepare configuration files and create ACE configuration secret for ACE server where ExampleClient app will be deployed.
- Untar “config.tar.gz” to a folder “config-ExampleClient”. By examining the contents you will see files with “-mykey” suffixes; this is used as the default alias keywords. For this recipe, I have used my own aliases to show you how it works.
- Copy files following files created in Step 2 to the “config-ExampleClient” folder
– keystore-ExampleClient.key
– keystore-ExampleClient.crt
– keystore-ExampleServer.crt ( Rename file to truststoreCert-ExampleServer.crt )
Although renaming the ExampleServer’s crt file is not necessary, it is done for easier maintenance in the future.
Edit configuration files:
1. Rename “serverconf.yaml” to “server.conf.yaml” as generateSecrets.sh script refers to the latter.
2. Edit “server.conf.yaml” file and add the following lines complying with the yaml format. Enabling jvmDebugPort is recommended only for DEV environments.
3. Edit “setdbparams.txt” and add the following lines. These will be used for running mqsisetdbparams at the time of container creation.
ace-client::keystorePass dummy p@ssw0rd
ace-client::truststorePass dummy p@ssw0rd
4. Create a new file “keystore-ExampleClient.pass” and add the password for decrypting “keystore-ExampleClient.key”
5. Edit “keystorePassword.txt” and add password for keystore.jks file to be created.
6. Edit “truststorePassword.txt” and add password for truststore.jks file to be created.
7. Finally, edit “generateSecrets.sh” file and add the following lines of script anywhere after line 18 (SECRET_ARGS=). If you have used different key and certificate aliases, you might have to update accordingly. You will notice we do not add the TestTool certificate as ExampleClient application exposes its URL on HTTP.
# Start of changes
if [ -s ./keystore-ExampleClient.key ]; then
SECRET_ARGS="${SECRET_ARGS} --from-file=keystoreKey-ExampleClient=./keystore-ExampleClient.key"
else
SECRET_ARGS="${SECRET_ARGS} --from-literal=keystoreKey-ExampleClient="
fi
if [ -s ./keystore-ExampleClient.crt ]; then
SECRET_ARGS="${SECRET_ARGS} --from-file=keystoreCert-ExampleClient=./keystore-ExampleClient.crt"
else
SECRET_ARGS="${SECRET_ARGS} --from-literal=keystoreCert-ExampleClient="
fi
if [ -s ./keystore-ExampleClient.pass ]; then
SECRET_ARGS="${SECRET_ARGS} --from-file=keystorePass-ExampleClient=./keystore-ExampleClient.pass"
else
SECRET_ARGS="${SECRET_ARGS} --from-literal=keystorePass-ExampleClient="
fi
if [ -s ./truststoreCert-ExampleServer.crt ]; then
SECRET_ARGS="${SECRET_ARGS} --from-file=truststoreCert-ExampleServer=./truststoreCert-ExampleServer.crt"
else
SECRET_ARGS="${SECRET_ARGS} --from-literal=truststoreCert-ExampleServer="
fi
# End of changes
You are now ready to create the ACE configuration secret.
8. To create a secret “example-client“, first perform oc login and switch to the project where you intend to deploy the ACE server. I have used the default “ace” namespace. Issue the command –
./generateSecrets.sh example-client
9. Examine the secret by describing it and checking if all the files you wanted to add are listed in the Data section. Issue the command “oc describe secret example-client“. Any artifact you intended to create should have a size greater than 0 bytes. You are now ready to create an Integration Server for ExampleClient.
10. I am using the ExampleClient Application from the HTTPS tutorial on the ACE toolkit. Note, you will need to update the value of “SSL client authentication key alias” to “exampleclient” in the HTTP request node SSL setting. Be sure to update this in all lowercase.
exampleClient-http_request
11. Create a bar file and prepare for deployment.
12. Login to App Connect Dashboard, click on “Create Server” and upload the bar file you want to deploy. Click on “Continue” and “Next” on the following page. When prompted for type of integration choose “Toolkit” and click “Next”.
13. On the helm chart UI page, provide a helm release name and configure all essential parameters for deployment. Under the “Integration Server” section provide the secret we created in step 8 and Key and Certificate aliases we used while creating the certificates and keys. Click on “Create” to start deployment.
14. Verify if deployment is successful. Pods must be in Running status.
15. Get routes for your freshly deployed ACE server by issuing “oc get routes” command.
16. Test ExampleClient App from Postman using the HTTP route.
Conclusion
You have now successfully exposed a mutual TLS secured HTTPS service on ACE container hosted on Cloud Pak for Integration(CP4I).
You’ve also configured TLS on ACE server container on CP4I to consume a mutual TLS enabled HTTPS service.