Secure integration of WebSphere Service Registry and Repository V8 with WebSphere DataPower V5

This article shows you how to configure WebSphere Service Registry and Repository V8 and WebSphere DataPower V5 SOA Appliances for secure connectivity and integration.

Stephen Willoughby (stephen.willoughby@uk.ibm.com), Solution Test Specialist, WebSphere Service Registry and Repository Development team, IBM

Author1 photoStephen Willoughby is a Solution Test Specialist on the WebSphere Service Registry and Repository Development team. He joined IBM in 2000 as a student and then again as a graduate in 2002. In 2006, he joined the WebSphere Service Registry and Repository Development team and has been a tester there ever since, specializing in re-creating customer scenarios. You can contact Stephen at stephen.willoughby@uk.ibm.com.



Jason K. Yong (jason_yong@uk.ibm.com), Test Specialist, WebSphere Service Registry and Repository Development team, IBM

Photo of Jason YongJason Yong is a Test Specialist on the WebSphere Service Registry and Repository Development team. He joined IBM as a graduate in 2001 and has worked as a tester on various WebSphere products before joining the WebSphere Service Registry and Repository Development team in 2009. You can contact Jason at jason_yong@uk.ibm.com.



10 October 2012

Also available in Chinese

Introduction

IBM® WebSphere® Service Registry and Repository (hereafter called WSRR) is a system for storing, accessing and managing information, commonly referred to as service metadata, used in the selection, invocation, management, governance, and reuse of services in an SOA. In other words, it is where you store information about services residing in your systems or other organizations' systems that you already use, plan to use, or want to be aware of. For example, an application can check WSRR just before invoking a service in order to locate the service instance best satisfying its functional and performance requirements.

WSRR can also play a role in other stages of the SOA life cycle. It includes a registry that stores information about services, such as their interfaces, operations, and parameters, and a metadata repository that provides a robust, extensible framework to accommodate the diverse nature of service usage. WSRR also provides management and governance capabilities that help you to get the most business value from your SOA.

You can also use WSRR to author and store policy documents and policy attachments. You can then create policy documents, attach them to objects stored in WSRR, and have the policies enforced at runtime by a policy enforcement point (PEP), such a WebSphere DataPower. In summary, WSRR is an essential component of a successful SOA.

WebSphere DataPower® Appliances (hereafter called DataPower) enable wirespeed XML transformation. DataPower V5 can subscribe to a service stored in WSRR and automatically enforce any policies attached to the service's objects.

This article will show how to configure DataPower and a WSRR server to communicate with one another and to exchange certificates.

Requirements

  • WSRR V8.0 (or later) with security enabled
  • A WSRR configuration profile deployed and activated as the WSRR Governance Enablement Profile (GEP)
  • WebSphere Business Space installed and configured to work with WSRR, and spaces based on each of the four WSRR templates
  • WebSphere DataPower V5.0

Configuring DataPower

In order for DataPower and WSRR to communicate with each other, you need to create several objects within DataPower. If security is enabled on the WebSphere Application Server instance that hosts WSRR, then you need to import its SSL certificate into DataPower using a browser, and create a WSRR server object.

Importing the SSL certificate

Using Firefox:

  1. Log in to the WebSphere Application Server Administration Console.
  2. Right-click on the page and select View Page Info.
  3. On the Security tab, click View Certificate.
  4. Switch to the Details tab and click Export.
  5. Give the certificate a suitable name and select the type (such as DER). Click Save.

Using Internet Explorer:

  1. Ensure that Protected Mode is off: Go to Tools => Internet options => Security and untick Enable Protected Mode.
  2. Log in to the WebSphere Application Server Administration Console.
  3. Right-click on the page, select Properties, and then click on Certificates.
  4. Go to the Details tab and click Copy to file. Follow the directions given by the Certificate Export Wizard. You now have the certificate and are ready to import it in to DataPower.

Creating the SSL artifacts in DataPower

  1. From the DataPower Web UI at https://yourserver:9090, log in to your domain.
  2. Select Objects => Crypto Configuration => SSL Proxy Profile from the menu on the left and then click Add:
    Creating an SSL Proxy Profile
    Creating an SSL Proxy Profile
  3. In the new window, enter a name for the SSL proxy, such as WSRR_hostname_SSL_Proxy.
  4. Change the SSL Direction to Forward and then click on the + button to create a Forward (Client) Crypto Profile:
    Configuring the SSL Proxy Profile
    Configuring the SSL Proxy Profile
  5. In the new window, enter a name for the Forward (Client) Crypto Profile, such as WSRR_hostname_Forward_Crypto_Profile and then click the + button next to Validation Credentials:
    Configuring the Crypto Profile
    Configuring the Crypto Profile
  6. Enter a name for the Validation credentials, such as WSRR_hostname_Crypto_Validation, and then click the + button:
    Configuring the Validation Credentials
    Validation Credentials
  7. Enter a name for the Crypto Certificate, such as WSRR_hostname_Crypto_Certificate and then click Upload.
  8. In the new window, browse for the certificate that you previously saved and click the Upload window.
  9. Now go back up the chain of windows clicking Apply. You should end up back at the Configure SSL Proxy Profile page. After applying, save your configuration: click Save Config at the top right:
    Uploading the Certificate
    Crypto Certificate

Creating a WSRR server object

  1. From the menu on the left, select Objects => Configuration Management => WSRR Server and then click Add:
    Creating the WSRR Server object
    WSRR Server Menu
  2. Enter a name for the server, such as WSRR_hostname_WSRR_Server. Modify the SOAP URL and WSRR Server Version to match that of your server.
  3. Since security is enabled for the WebSphere Application Server instance hosting WSRR, enter a username and password.
  4. From the drop-down menu, select the SSL Proxy Profile that you created above and click Apply. Save the configuration:
    Configuring the WSRR Server object
    Configure WSRR Server

Enabling WSRR subscription

If you want to use the automatic synchronization method between WSRR and DataPower, you need to have a DataPower administrator enable WSRR subscription from the XML Management Interface (XMI). For more information, see Enabling interface services in the DataPower information center.

Configuring WSRR

Now that your DataPower appliance is set up, it's time to configure WSRR and its WebSphere Application Server instance, which involves importing the DataPower certificate and enabling the Subscription Notifier scheduled service.

Importing the certificate

Importing the certificate from DataPower into WebSphere Application Server is fortunately much easier than it was the other way.

  1. Log in to the WebSphere Integrated Solution Console (or Administration Console) with a user id that has Administrator privileges.
  2. Expand Security on the left and click SSL certificate and key management.
  3. On the right under Related Items, click Key stores and certificates.
  4. Assuming you're using the default settings, click NodeDefaultTrustStore, and then under Additional Properties, click Signer certificates.
  5. On the new page, click Retrieve from port and then enter the following details:
Details for retrieving certificate from WebSphere Application Server
ParameterDescriptionExample value
HostHost name of the DataPower appliancemqxi50.mydomain.com
PortAny port with which the DataPower Appliance communicates over9090
AliasLocal name of your choice identify the certificate.datapower
  1. After you have entered these values, click Retrieve signer information, and when the action finishes, click OK or Apply.
  2. Click Save at the top to save your changes. If you have accepted the default selection Dynamically update the run time when SSL configuration changes occur, then you do not need to restart WebSphere Application Server.
  3. Log out from the Administration Console.

Configuring the Subscription Modifier

A newly installed WSRR with a new GEP will have the Subscription Notifier disabled. However, if there is a chance that you are not using a new installation of WSRR, then the Subscription Notifier might already be enabled, since it is used by products other than DataPower.

  1. Navigate to the WSRR Web UI, typically, https://yourserver:9443/ServiceRegistry. Change to the Configuration perspective at the top right.
  2. Under the Active Profile menu, select Scheduler. In the list of Scheduler Configurations, click SubscriptionNotifierPluginScheduler. This page contains the settings for the Subscription Notifier scheduled task. In the XML editing window, ensure that the XML looks like the code below, especially the tags in bold:
    Scheduler values to update
    <scheduler-configuration
      xmlns="http://www.ibm.com/xmlns/prod/serviceregistry/6/1/SchedulerProperties">
        <scheduler-task name="SubscriptionNotifierPluginMessageTask">
            <type>Message</type>
            <subscriptions>
                <topic>jms/SubscriptionTopic</topic>
            </subscriptions>
            <interval>30</interval>
            <class>
            com.ibm.sr.subscriptionnotifier.plugin.SubscriptionNotifierPluginMessageTask
            </class>
            <enabled>true</enabled>
            <startTimeOffset>1</startTimeOffset>
            <intervalGranularity>seconds</intervalGranularity>  
            <startTimeOffsetGranularity>seconds</startTimeOffsetGranularity>
            <transactionality>perMessage</transactionality>
        </scheduler-task>
    </scheduler-configuration>
  3. Click OK to apply your changes. The above parameters are okay for experimenting and for following this article, but you should not operate the scheduler so frequently in a production system, where the default value of 5 minutes is more appropriate.
  4. Verify that the HTTP Post Notifier plug-in settings are correct: In the Active Profile menu, select Notifiers => Subscription Notifier.
  5. In the list of Subscription Notifier Configurations, click SubscriptionNotifierPluginConfiguration. Find the following XML tag and ensure that it is not commented out (XML comments start with <!-- and end with -->):
    HTTP Post Notifier plug-in settings
    <Plugin
    identifier="com.ibm.sr.subscriptionnotifier.plugin.httppost.HttpPostNotifierPlugin
    class="com.ibm.sr.subscriptionnotifier.plugin.httppost.HttpPostNotifierPlugin"
    type="httppost" />
  6. Click OK to apply your changes.

Conclusion

This article showed you how to set up your WSRR server and DataPower Appliance for communication, including how to import the SSL certificate from WSRR and specify the WSRR server definition in DataPower. The article also showed you how to import the DataPower SSL certificate into WebSphere Application Server and enable the Subscription Notifier in WSRR. Now you are ready to subscribe to web services that are registered and governed in WSRR, using a DataPower Web Services Proxy. Any policies that you have attached to your services will automatically be loaded into DataPower and enforced.

Resources

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into WebSphere on developerWorks


static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=WebSphere
ArticleID=840010
ArticleTitle=Secure integration of WebSphere Service Registry and Repository V8 with WebSphere DataPower V5
publish-date=10102012