App Connect

Enabling TLS for App Connect Enterprise HTTP Input and HTTP Request nodes on Cloud Pak for Integration v2020.1 

Mon September 20, 2021 01:46 PM

Originally published on May 25, 2020 as an IBM Developer Recipe  / Updated on June 4, 2020

Overview

Skill Level: Any Skill Level

Cloud Pak for Integration, App Connect Enterprise, ACE

This recipe demonstrates how to create a PKI with ACEv11.0.0.8 on Cloud Pak for Integration v2020.1 using self-signed certificates in order to send data securely across HTTPS.

Ingredients

Prerequisites:

1. Admin access to App Connect Dashboard and ICP console on Cloud Pak for Integration.

2. Workstation which has ACE toolkit, OpenSSL and OpenShift Command line tools installed.

 

Overview:

For this recipe, I have used artifacts from ACE toolkit tutorial - "Using HTTPS and certificates with the HTTPInput, HTTPReply and HTTPRequest nodes". Since we are deploying ACE applications to containers on OpenShift platform, implementation instructions in this recipe are different from what's described in the tutorial.

 

Here is an overview of what we intend to accomplish in this recipe.




Description:

  1. ExampleServer Application - Contains a message flow which exposes a service on HTTPS with Mutual TLS. It echoes back a hardcoded message to client upon successful TLS handshake. To successfully invoke this service, a client must present a certificate which is imported into the truststore of the ACE server where ExampleServer App is deployed.
  2. ExampleClient Application - Contains a message flow which invokes ExampleServer's HTTPS endpoint with a Mutual TLS using a HTTP request node. The message flow exposes the application over HTTP and can be invoked by a Test tool without any TLS handshake.
  3. Testing tool - Recipe uses Postman to invoke ExampleServer over HTTPS and ExampleClient over HTTP.

Step-by-step

  1. Create the keys and certificates for ExampleServer App, ExampleClient App and Testing Tool

    I have used openssl to create public certificates and encrypted private keys. When you are execute the commands, you will be prompted to enter a password to secure private key. Note down these passwords as you will need them later in this recipe. For simplicity, I have used the same password for all keys, truststores and keystores.

     

    Key and certificates for ExampleServer App:

    openssl req -newkey rsa:2048 -keyout keystore-ExampleServer.key -x509 -days 365 -out keystore-ExampleServer.crt \
    -subj "/C=IN/ST=Karnataka/L=Bengaluru/O=IBM/OU=ISL/CN=exampleserver-https-ace.apps.kanand.os.fyre.ibm.com"

     

    Key and certificates for ExampleClient App:

    openssl req -newkey rsa:2048 -keyout keystore-ExampleClient.key -x509 -days 365 -out keystore-ExampleClient.crt \
    -subj "/C=IN/ST=Karnataka/L=Bengaluru/O=IBM/OU=ISL/CN=exampleclient-https-ace.apps.kanand.os.fyre.ibm.com"

     

    Key and certificates for Testing tool:

    openssl req -newkey rsa:2048 -keyout keystore-TestTool.key -x509 -days 365 -out keystore-TestTool.crt \
    -subj "/C=IN/ST=Karnataka/L=Bengaluru/O=IBM/OU=ISL/CN=testtool"

     

    Sample output:


    After executing all 3 commands, you should have 3 sets of keys and certificates ready to use.

    • keystore-ExampleServer.key
    • keystore-ExampleServer.crt
    • keystore-ExampleClient.key
    • keystore-ExampleClient.crt
    • keystore-TestTool.key
    • keystore-TestTool.crt
  2. Download configuration files and "generateSecrets.sh" script

    You have two ways to do this.

    • Download from github
      https://github.com/IBM/charts/tree/master/stable/ibm-ace-server-dev/ibm_cloud_pak/pak_extensions/pre-install
    • Download from App Connect Dashboard

    Note: The generateSecrets.sh script from github is slightly different from the one downloaded from App Connect Dashboard. The latter uses hardcoded alias “-mykey” in the script. I personally prefer the one from github. For this recipe, I have used to the config files and script from App Connect Dashboard.

     

    Download the configuration files from App Connnect Dashboard:

    1. Login to the App Connect Dashboard through Platform Navigator on CP4I.
    2. Click on “Create Server”, you will be prompted to add a bar file or choose an existing bar file. Choose whatever option works for you as we just need to get to the next screen and cancel the process.
    3. On the next screen click on “Download configuration package” and save “config.tar.gz” to your local disk. Click on Cancel.


    Configure TLS for ExampleServer application

    Lets first prepare configuration files and create ACE configuration secret for ACE server where ExampleServer app will be deployed.

    1. Untar “config.tar.gz” to a folder “config-ExampleServer”. By examining the contents you will see files with “-mykey” suffixes; this is used as the default alias keywords. For this recipe, I have used my own aliases to show you how it works.
    2. Copy  files following files created in Step 2 to the “config-ExampleServer” folder

    – keystore-ExampleServer.key
    – keystore-ExampleServer.crt
    – keystore-ExampleClient.crt ( Rename file to truststoreCert-ExampleClient.crt )
    – keystore-TestTool.crt (Rename file to truststoreCert-TestTool.crt)
     

    Although renaming ExampleClient and TestTool’s crt files is not necessary, it is done for easier maintenance in the future.

     

    Edit configuration files:

    1.  Rename “serverconf.yaml” to “server.conf.yaml” as generateSecrets.sh script refers to the latter.

    2.  Edit “server.conf.yaml” file and add the following lines complying with the yaml format. Enabling jvmDebugPort is optional and recommended only for DEV environments.


    3.  Edit “setdbparams.txt” and add the following lines. These will be used for running mqsisetdbparms at the time of container creation.

    ace-server::keystorePass dummy p@ssw0rd
    ace-server::truststorePass dummy p@ssw0rd

     

    4.  Create a new file “keystore-ExampleServer.pass” and add the password for decrypting “keystore-ExampleServer.key”

    5.  Edit “keystorePassword.txt” and add password for keystore.jks file to be created.

    6.  Edit “truststorePassword.txt” and add password for truststore.jks file to be created.

    7.  Finally, edit “generateSecrets.sh” file and add the following lines of script anywhere after line 18 (SECRET_ARGS=). If you have used different key and certificate aliases, you might have to update accordingly

    # Start of changes
    if [ -s ./keystore-ExampleServer.key ]; then
    SECRET_ARGS="${SECRET_ARGS} --from-file=keystoreKey-ExampleServer=./keystore-ExampleServer.key"
    else
    SECRET_ARGS="${SECRET_ARGS} --from-literal=keystoreKey-ExampleServer="
    fi
    if [ -s ./keystore-ExampleServer.crt ]; then
    SECRET_ARGS="${SECRET_ARGS} --from-file=keystoreCert-ExampleServer=./keystore-ExampleServer.crt"
    else
    SECRET_ARGS="${SECRET_ARGS} --from-literal=keystoreCert-ExampleServer="
    fi
    if [ -s ./keystore-ExampleServer.pass ]; then
    SECRET_ARGS="${SECRET_ARGS} --from-file=keystorePass-ExampleServer=./keystore-ExampleServer.pass"
    else
    SECRET_ARGS="${SECRET_ARGS} --from-literal=keystorePass-ExampleServer="
    fi
    if [ -s ./truststoreCert-ExampleClient.crt ]; then
    SECRET_ARGS="${SECRET_ARGS} --from-file=truststoreCert-ExampleClient=./truststoreCert-ExampleClient.crt"
    else
    SECRET_ARGS="${SECRET_ARGS} --from-literal=truststoreCert-ExampleClient="
    fi
    if [ -s ./truststoreCert-TestTool.crt ]; then
    SECRET_ARGS="${SECRET_ARGS} --from-file=truststoreCert-TestTool=./truststoreCert-TestTool.crt"
    else
    SECRET_ARGS="${SECRET_ARGS} --from-literal=truststoreCert-TestTool="
    fi
    # End of changes

    You are now ready to create the ACE configuration secret. 

     

    8.  To create a secret “example-server”, first perform oc login and switch to the project where you intend to deploy the ACE server. I have used the default “ace” namespace. Issue the command –

    ./generateSecrets.sh example-server

     

    9.  Examine the secret by describing it and checking if all the files you wanted to add are listed in the Data section. Any artifact you intended to create should have a size greater than 0 bytes.


    You are now ready to create an Integration Server.

     

    10.  I am using the ExampleServer Application from the HTTPS tutorial on the ACE toolkit. You may use the bar file bundled in the project. 

     

    11.  Login to App Connect Dashboard, click on “Create Server” and upload the bar file you want to deploy. If already uploaded, you may choose it from the drop down and click on “Continue” and “Next” on the following page. When prompted for type of integration choose “Toolkit” and click “Next”.

    12.  On the helm chart UI page, provide a helm release name and configure all essential parameters for deployment. Under the “Integration Server” section provide the secret we created in step 8 and Key and Certificate aliases we used while creating the certificates and keys. Click on “Create” to start deployment.


    13.  Verify if deployment is successful. Pods must be in Running status.

    14.  Get routes for your freshly deployed ACE server by issuing “oc get routes” command. 

     

    15.  To test this deployment with Postman tool, configure the SSL setting to following ( Settings -> Certificates -> Add Certificate )

     

    16.  Invoke the https URL to get a successful response:


    You have now successfully configured mutual TLS on a HTTPS service deployed on ACE container.

  3. Configure PKI for ExampleClient application

    If you have gone through the previous section, you will find a lot of common steps here, but with subtle changes.

     

    Lets prepare configuration files and create ACE configuration secret for ACE server where ExampleClient app will be deployed.

    1. Untar “config.tar.gz” to a folder “config-ExampleClient”. By examining the contents you will see files with “-mykey” suffixes; this is used as the default alias keywords. For this recipe, I have used my own aliases to show you how it works.
    2. Copy  files following files created in Step 2 to the “config-ExampleClient” folder
      – keystore-ExampleClient.key
      – keystore-ExampleClient.crt
      – keystore-ExampleServer.crt ( Rename file to truststoreCert-ExampleServer.crt )
       

    Although renaming the ExampleServer’s crt file is not necessary, it is done for easier maintenance in the future.

     

    Edit configuration files:

    1.  Rename “serverconf.yaml” to “server.conf.yaml” as generateSecrets.sh script refers to the latter.
    2.  Edit “server.conf.yaml” file and add the following lines complying with the yaml format. Enabling jvmDebugPort is recommended only for DEV environments.

    3.  Edit “setdbparams.txt” and add the following lines. These will be used for running mqsisetdbparams at the time of container creation.

    ace-client::keystorePass dummy p@ssw0rd
    ace-client::truststorePass dummy p@ssw0rd

     

    4.  Create a new file “keystore-ExampleClient.pass” and add the password for decrypting “keystore-ExampleClient.key”

    5.  Edit “keystorePassword.txt” and add password for keystore.jks file to be created.

    6.  Edit “truststorePassword.txt” and add password for truststore.jks file to be created.

    7.  Finally, edit “generateSecrets.sh” file and add the following lines of script anywhere after line 18 (SECRET_ARGS=). If you have used different key and certificate aliases, you might have to update accordingly. You will notice we do not add the TestTool certificate as ExampleClient application exposes its URL on HTTP.

    # Start of changes
    if [ -s ./keystore-ExampleClient.key ]; then
    SECRET_ARGS="${SECRET_ARGS} --from-file=keystoreKey-ExampleClient=./keystore-ExampleClient.key"
    else
    SECRET_ARGS="${SECRET_ARGS} --from-literal=keystoreKey-ExampleClient="
    fi
    if [ -s ./keystore-ExampleClient.crt ]; then
    SECRET_ARGS="${SECRET_ARGS} --from-file=keystoreCert-ExampleClient=./keystore-ExampleClient.crt"
    else
    SECRET_ARGS="${SECRET_ARGS} --from-literal=keystoreCert-ExampleClient="
    fi
    if [ -s ./keystore-ExampleClient.pass ]; then
    SECRET_ARGS="${SECRET_ARGS} --from-file=keystorePass-ExampleClient=./keystore-ExampleClient.pass"
    else
    SECRET_ARGS="${SECRET_ARGS} --from-literal=keystorePass-ExampleClient="
    fi
    if [ -s ./truststoreCert-ExampleServer.crt ]; then
    SECRET_ARGS="${SECRET_ARGS} --from-file=truststoreCert-ExampleServer=./truststoreCert-ExampleServer.crt"
    else
    SECRET_ARGS="${SECRET_ARGS} --from-literal=truststoreCert-ExampleServer="
    fi
    # End of changes

    You are now ready to create the ACE configuration secret.

     

    8.  To create a secret “example-client“, first perform oc login and switch to the project where you intend to deploy the ACE server. I have used the default “ace” namespace. Issue the command –

    ./generateSecrets.sh example-client

     

    9.  Examine the secret by describing it and checking if all the files you wanted to add are listed in the Data section. Issue the command “oc describe secret example-client“. Any artifact you intended to create should have a size greater than 0 bytes. You are now ready to create an Integration Server for ExampleClient.

    10.  I am using the ExampleClient Application from the HTTPS tutorial on the ACE toolkit. Note, you will need to update the value of “SSL client authentication key alias” to “exampleclient” in the HTTP request node SSL setting. Be sure to update this in all lowercase.

    exampleClient-http_request

     

    11.  Create a bar file and prepare for deployment.
     

    12.  Login to App Connect Dashboard, click on “Create Server” and upload the bar file you want to deploy. Click on “Continue” and “Next” on the following page. When prompted for type of integration choose “Toolkit” and click “Next”.
     

    13.  On the helm chart UI page, provide a helm release name and configure all essential parameters for deployment. Under the “Integration Server” section provide the secret we created in step 8 and Key and Certificate aliases we used while creating the certificates and keys. Click on “Create” to start deployment.

    14.  Verify if deployment is successful. Pods must be in Running status.

    15.  Get routes for your freshly deployed ACE server by issuing “oc get routes” command.

     

    16.  Test ExampleClient App from Postman using the HTTP route.

    Conclusion

    You have now successfully exposed a mutual TLS secured HTTPS service on ACE container hosted on Cloud Pak for Integration(CP4I).

    You’ve also configured TLS on ACE server container on CP4I to consume a mutual TLS enabled HTTPS service.


#AppConnectEnterprise(ACE)
#IBMCloudPakforIntegration(ICP4I)