Configuring secured Web service calls from WebSphere Process Server V7 to a non-WebSphere server via SSL

This tutorial provides steps to configure an SSL for a Web service call from WebSphere® Process Server to a non-WebSphere Web service. It covers generating client and sample server keys, importing certificates, configuring the SOAP UI for SSL, mocking up the Web service, and testing the SSL.

Keerthana Sharath (keerthana.sharath@in.ibm.com), IT Specialist, IBM

Photo of Keerthana SharathKeerthana Sharath is an Application Integration and Middleware Solutions Specialist with WebSphere Lab Services at IBM India Software Labs. She has worked on customer engagements involving various products, such as WebSphere Application Server, WebSphere Process Server, ILOG, and WebSphere Lombardi. She has also worked with WebSphere Education Development to develop and deliver WebSphere courses. Keetharna is a certified WebSphere Application Server Administrator, WebSphere Process Server Administrator, and WebSphere Lombardi Business Process Developer.



21 December 2011

Before you start

Configuring a Secure Sockets Layer (SSL) is important to implement security during Web service calls. The SSL is used to transport SOAP messages between a client and a Web service over HTTP.

This tutorial provides steps to configure an SSL for a Web service request from WebSphere Process Server (hereafter called Process Server) to a Web service running outside the WebSphere environment. In many scenarios, during the development of Process Server and WebSphere Enterprise Service Bus (ESB) modules, a developer is dependent on the external systems or Web services to be available to configure and test the SSL. This tutorial isolates the need of having the endpoint available and running by generating the sample server keys and mocking the Web services by using the SOAP UI to test and configure the SSL.

Consider the Process Server module as a client and the endpoint outside the WebSphere environment as the server. Since the client connects to the server, the client has to import the server's public key into its truststore, and the server decrypts the data using its private key as shown in Figure 1.

Figure 1. Client server key and trust stores
Client server key and trust stores

In the above scenario, the SSL is configured for server authentication. However, if the SSL is configured for client authentication, it will fail because the server does not have the client's public key in its truststore.

This tutorial covers the following steps:

  • Generating the client and sample server keystore and truststore using the ikeyman tool
  • Importing the server certificate into the Process Server trust store
  • Mocking the Web services using the SOAP UI
  • Testing the SSL connection

Note: The SOAP UI is the world's leading Open Source Functional Testing tool for Web service testing. It is the leading desktop application for inspecting, invoking, monitoring, simulating or mocking, as well as functional testing, security testing, and so on.

Prerequisites

  • You must be familiar with the SOAP UI.
  • You need to have good hands-on experience in configuring Process Server and performing administrative activities.
  • You need to have an understanding of Web services.
  • You must be familiar with WebSphere Integration Developer (hereafter called Integration Developer) and using it as a development tool.

System requirements

  • Microsoft® Windows® machine
  • SOAP UI
  • IBM® WebSphere Integration Developer V7 installed with a WebSphere Process Server V7 test environment

Preparing the environment

In this tutorial, the following directories are used as the installation paths for the components:

  • WebSphere Integration Developer root: C:\IBM\WID7
  • WebSphere Process Server root: C:\IBM\WID7_WTE\runtimes\bi_v7

Duration

This tutorial will take about 2 to 3 hours to complete.


Introduction

In this scenario, we assume that the client module runs on Process Server, and the endpoint Web service that is being called from a Process Server module is on an external third party system. We only have the Web Services Description Language (WSDL) file of the external Web service, and the system is not yet available. Therefore, we will configure the SSL, mock the Web service, and test the SSL connection. Following are the steps to configure and test the SSL:


Generating the client keys

This section helps you create the ClientKeyStore, TrustStore, and self signed certificate for the client:

  1. Create two folders as shown below:
    C:\ClientKeyStore
    C:\ClientTrustStore
  2. Launch the ikeyman tool (Figure 2). Navigate to C:\IBM\WID7_WTE\runtimes\bi_v7\bin and double-click ikeyman.bat.
    Figure 2. ikeyman tool
    ikeyman tool
  3. Create the client key store:
    1. Select Key Database File > New to open a new dialog.
    2. Select JKS as the Key database type from the drop down, enter ClientKeyStore.jks as the File Name, and enter C:\ClientKeyStore\ for the Location (see Figure 3). Click OK.
      Figure 3. Client Key Store
      Client Key Store
    3. At the password prompt, enter a password of your choice as shown in Figure 4. In this example, we are using passw0rd. Click OK.
      Figure 4. Password Prompt
      Password Prompt
  4. Create the client trust store:
    1. Select Key Database File > New to open a new dialog.
    2. Select JKS as the Key database type from the drop down, enter ClientTrustStore.jks as the File Name, and enter C:\ClientTrustStore\ for the Location as shown in Figure 5. Click OK. When prompted for the password, enter passw0rd.
      Figure 5. Client Truststore
      Client Truststore
  5. Create a self-signed certificate for the client:
    1. Open ClientKeyStore.jks. Enter passw0rd when prompted for the password.
    2. Select Create > New self-signed certificate. Enter the following values as shown in Figure 6 and click OK:
      • key label: ClientCertificate
      • Common Name: localhost
      • Organization: IBM
        Figure 6. Self-signed client certificate
        Self-signed client certificate
  6. Extract the client certificate:
    1. Click Extract certificate.
    2. Enter the following values as shown in Figure 7 and click OK:
      • Certificate file name: ClientCert.arm
      • Location: C:\ClientKeyStore
        Figure 7. Extract the client certificate
        Extract the client certificate

Generating the sample server keys

This section helps you create the ServerKeyStore, TrustStore, and self signed certificate for the server.

  1. Create the following two folders:
    C:\ServerKeyStore
    C:\ServerTrustStore
  2. Create the sample server key store:
    1. Select Key Database File > New to open a new dialog.
    2. Select JKS as the Key database type from the drop down, enter ServerKeyStore.jks for the File Name, and enter C:\ServerKeyStore\ for the Location as shown in Figure 8. Click OK.
      Figure 8. Server key store
      Server key store
    3. At the password prompt, enter the password of your choice as shown in Figure 9. In this example, we are using passw0rd. Click OK.
      Figure 9. Password prompt
      Password prompt
  3. Create the server trust store:
    1. Select Key Database File > New to open a new dialog.
    2. Select JKS as the Key database type from the drop down, enter ServerTrustStore.jks as the File Name, and enter C:\ServerTrustStore\ as the Location as shown in Figure 10. Click OK. When prompted for the password, enter passw0rd.
      Figure 10. Server trust store
      Server trust store
  4. Create a self-signed certificate for the server:
    1. Open ServerKeyStore.jks. Enter passw0rd when prompted for the password.
    2. Select Create > New self-signed certificate. Enter the following values as shown in Figure 11 and click OK:
      • key label: SampleServerCertificate
      • Common Name: localhost
      • Organization: IBM
        Figure 11. Self-signed server certificate
        Self-signed server certificate
  5. Extract the server certificate:
    1. Click Extract certificate.
    2. Enter the following values as shown in Figure 12 and click OK.
      • Certificate file name: SampleServerCert.arm
      • Location: C:\ServerKeyStore
        Figure 12. Extract server certificate
        Extract server certificate

Importing the certificates

Import the client certificate into ServerTrustStore and the server certificate into ClientTrustStore for the handshake.

  1. Import the server certificate into the client trust store:
    1. Open ClientTrustStore. Enter passw0rd when prompted for the password.
    2. Navigate to Signer Certificates under Key database content.
    3. Click Add. Enter the following values as shown in Figure 13 and click OK:
      • File Name: SampleServerCert.arm
      • Location: C:\ServerKeyStore\
    4. Enter SampleServerCertificate when prompted for the label name.
      Figure 13. Import server certificate
      Import server certificate
  2. Import the client certificate into the server trust store:
    1. Open ServerTrustStore. Enter passw0rd when prompted for the password.
    2. Navigate to Signer Certificates under Key database content.
    3. Click Add. Enter the following values as shown in Figure 14 and click OK:
      • File Name: ClientCert.arm
      • Location: C:\ClientKeyStore\
    4. Enter ClientCertificate when prompted for the label name.
      Figure 14. Import client certificate
      Import client certificate

Importing the server certificate into the Process Server default TrustStore

You will now configure the SampleServerCert.arm certificate on the Process Server admin console using the following steps:

  1. Log in to the Process Server admin console.
  2. Navigate to Security > SSL certificate and key management and click Key stores and certificates as shown in Figure 15.
    Figure 15. Process Server admin console
    Process Server admin console
  3. Click NodeDefaultTrustStore as shown in Figure 16.
    Figure 16. Default trust store
    Default trust store
  4. Click Signer certificates as shown in Figure 17.
    Figure 17. Signer certificates
    Signer certificates
  5. Click Add and enter the details as shown in Figure 18 and click OK.
    • Alias: SampleServerCertificate
    • File name: C:\ServerKeyStore\SampleServerCert.arm
    • Data type: Base64-encoded ASCII data
      Figure 18. Import server certificate
      Import server certificate
  6. Restart the server.

Configuring the SOAP UI for SSL

In this section, you will configure the SOAP UI to use the server keys:

  1. Open SOAP UI. Go to File > Preferences as shown in Figure 19.
    Figure 19. SOAP UI
    SOAP UI
  2. Switch to the SSL Settings tab and configure as shown in Figure 20.

    Note: Use passw0rd for the keystore and mock passwords.
    Figure 20. SSL settings
    SSL settings
  3. Restart SOAP UI.

Mocking the Web service and testing the SSL

In this section, you will mock the Web service using the WSDL. First, import the WSDL of the Web service that you want to mock into the SOAP UI.

  1. Go to File > New soapUI Project and select Creates a new soapUI Project in this workspace as shown in Figure 21.
    Figure 21. New soapUI project
    New soapUI project
  2. Import the DemoWebService WSDL as shown in Figure 22. However, if available, you can import the endpoint WSDL provided by a third party or any other sample WSDL, such as HelloWorld WSDL, for testing purposes. Click OK.
    Figure 22. Import the WSDL
    Import the WSDL
  3. In the Generate Mock Service window (Figure 23), click the operation you want to mock and click OK.
    Figure 23. Generate MockService
    Generate MockService

    Note: The sample Web service has only one operation, therefore it is checked.

  4. Enter a suitable name, such as DemoMockService, as shown in Figure 24 and click OK.
    Figure 24. Name of MockService
    Name of MockService
  5. Now you see the mocked service. Click on the green arrow in the upper left of the panel to start the mock service (Figure 25).
    Figure 25. Start MockService
    Start MockService
  6. The mock service is now running on port 8088 as shown in Figure 26.
    Figure 26. MockService started
    MockService started
  7. To check if the SSL is working, click on the "I" icon, which opens the root WSDL page in a browser. Look at the address bar and if it has an "https" in the address as shown in Figure 27, then the SSL is configured.
    Figure 27. SSL configured
    SSL configured

    Note: If you get a certificate error, click on Continue to this website (not recommended).

The "https" in the WSDL link confirms that SSL has been configured. This completes the configuration steps for establishing an SSL between the client and the server.


Conclusion

This article described how to configure a secured Web Service call from a WebSphere Process Server module to a non-WebSphere Process Server module via the SSL. This involved generating client and sample server keys, importing certificates, configuring the SOAP UI for SSL, and finally mocking the Web service and testing the SSL.

Acknowledgements

The author would like to thank Parasuram Balakrishnan, Rajiv Madassery, and Vijay K. Peachimuthu for their valuable comments and reviews.

Resources

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into Business process management on developerWorks


static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=Business process management, WebSphere, SOA and web services
ArticleID=781835
ArticleTitle=Configuring secured Web service calls from WebSphere Process Server V7 to a non-WebSphere server via SSL
publish-date=12212011