Configuring communication between the order server and promising server

The Order server communicates with the Promising server through the AuthorizationOnlyApiServlet.

Configuration includes:

  • Enabling access to the servlet
  • Restricting access to an authorized username
  • Configuring properties on the Order server

Enabling access to the AuthorizationOnlyApiServlet

To enable access to AuthorizationOnlyApiServlet, edit the web.xml file of the deployed Promising server EAR to include the following:

<context-param>
		<param-name>bypass.uri.X</param-name>
		<param-value>/interop/AuthorizationOnlyApiServlet</param-value>
</context-param>
<context-param>
		<param-name>request.validation.bypass.uri.yfc.X</param-name>
		<param-value>/interop/AuthorizationOnlyApiServlet</param-value>
</context-param>
<servlet id="Servlet_X">
		<servlet-name>AuthorizationOnlyApiServlet</servlet-name>
		<servlet-class>com.yantra.interop.client.AuthorizationOnlyApiServlet</servlet-class>
</servlet>
<servlet-mapping id="ServletMapping_X">
		<servlet-name>AuthorizationOnlyApiServlet</servlet-name>
		<url-pattern>/interop/AuthorizationOnlyApiServlet</url-pattern>
</servlet-mapping>

where
X is a numerical value.

Note: Ensure that the id fields are unique in the web.xml file.

Restricting access to the AuthorizationOnlyApiServlet

Note: This security is applicable only to synchronous calls to the Promising server.

To restrict access to the AuthorizationOnlyApiServlet, edit the web.xml file of the deployed Promising server EAR:

<security-constraint>
		<web-resource-collection>
				<web-resource-name>AuthorizationOnlyApiServlet</web-resource-name>
				<url-pattern>/interop/AuthorizationOnlyApiServlet</url-pattern>
				<http-method>GET</http-method>
				<http-method>POST</http-method>
		</web-resource-collection>
		<auth-constraint>
				<role-name>prmsappuser</role-name>
		</auth-constraint>
</security-constraint>
<login-config>
		<auth-method>BASIC</auth-method>
		<realm-name>default</realm-name>
</login-config>
<security-role>
		<role-name>prmsappuser</role-name>
</security-role>

Notes:

  • In the above coding, replace prmsappuser with the same user name that was used when creating a new user and group at the application server where the Promising server EAR will be deployed.
  • In the above coding, replace default with the realm name of prmsappuser.
  • Set up the appropriate authentication mechanism (BASIC, SSL, or CLIENT-CERT) in the <auth-method> tag.

Configuring application servers

Configuring WebLogic

The following configurations have to be made on a WebLogic application server:

  1. Make the following changes in the weblogic.xml of IBM® Sterling Order Management System Software EAR.
    <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE weblogic-web-app PUBLIC "-//BEA Systems, Inc.//DTD Web Application
8.1//EN" "http://www.bea.com/servers/wls810/dtd/weblogic810-web-jar.dtd">
<weblogic-web-app>
<security-role-assignment>
<role-name>prmsappuser</role-name>
<principal-name>prmsappuserGroup</principal-name>
</security-role-assignment>
</weblogic-web-app>
    Note: When setting up the Users and Groups, ensure that the user name is the same as that provided in the role-name tag of the web.xml file of the Promising server.
  2. Refer to the application server documentation to set up the authentication mechanism that you are using and that is mentioned in the web.xml file.

Configuring WebSphere

  1. Ensure that you have a deployment manager with administrative security turned on.
  2. Deploy the Sterling Order Management System Software in a server within the deployment manager.
  3. In Users and Groups>Manage Groups and Manage Users, create Users and Groups.

    Ensure that the user name is the same as provided in the role-name tag of the web.xml file of the Promising server, and assign them to this group.

  4. In Enterprise Applications (Promising Server) > Security role to user/group mapping. WebSphere reads the web.xml file and populates the user role in the table. Map the user role to the group created in step 3.
  5. In Security, click Global security.

    Select the Enable application security checkbox.

  6. Refer to the application server documentation to set up the authentication mechanism that you are using and that is mentioned in the web.xml file.
Note: Ensure that virtual hosts are set up.

Configuring JBoss

Perform the following configurations on Sterling Order Management System Software:

Note: Depending on the profile being used, edit the profile configuration file. The following section explains the steps using the stand-alone configuration.
  1. The JBoss application server accepts the https connections with certificates. Define a port for the https connection as follows:
    <subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">  
		.
		.
		.
		<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
		<ssl password="<>"  
		    certificate-key-file="<>"  
		    verify-client="want"  
		    ca-certificate-file="<>" />  
		</connector>  
		.
		.
		.
	</subsystem>
  2. Enforce the client certificate. Edit the <JBOSS_HOME>\standalone\configuration\standalone-full.xml file to define a security domain with the following details:
    <security-domain name="<domain_name>" cache-type="default">
                    <authentication>
                        <login-module code="CertificateRoles" flag="required">
				<module-option name="password-stacking" value="useFirstPass"/>
				<module-option name="securityDomain" value="java:/jaas/<domain_name>"/>
				<module-option name="rolesProperties" value="<full_path_to_application-roles.properties>"/>
				<module-option name="principalClass" value="org.jboss.security.auth.certs.SubjectCNMapping" />
                        </login-module>
                    </authentication>
		    <jsse 
			keystore-password="<>"   
			keystore-url="<Path_ToKeystore>"   
			truststore-password="<>"   
			truststore-url="<Path_ToTrustStore>"/>  
                </security-domain>
    Note: The above configuration will create a security domain with the name "domain_name". The value of KeystoreURL will contain the path to the keystore which has the certificates to be trusted by Sterling Order Management System Software.
  3. Provide a user-role name mapping. For example: prmsappuser=prmsappuser. For more information, refer to JBoss Tuning.
    Note:
    • The role name defined in role.properties file and the CN in the identity certificate of the order server should be same as the role-name that is used in the web.xml.
    • Ensure that the user name and the CN are in lower case.
    • Ensure that the KeyStoreURL used above has the complete "client certificate" added into it under the alias which is same as the CN of the identity certificate of the order server.
  4. Assign the newly created security domain to the Sterling Order Management System Software by creating the jboss-web.xml in the WEB-INF to include the following:
    <jboss-web>
<security-domain>java:/jaas/<domain_name></domain_name>
</jboss-web>
  5. Refer to the application server documentation to set up the authentication mechanism that you are using and that is mentioned in the web.xml file.

Configuring properties on the order server

Configure the following properties in the yifclient.properties file on the Order server and rebuild the resources.jar file before building the EAR file:

Property Description
endpoint.PROMISINGSERVER.yif.apifactory.protocol Set the value of this property to HTTPS when using two-way SSL authentication.

Set the value of this property to HTTP when using BASIC authentication.
endpoint.PROMISINGSERVER.yif.httpapi.url Set the value to the URL for AuthorizationOnlyApiServlet.

For two-way SSL authentication:

https://<host>:<port>/smcfs/interop/AuthorizationOnlyApiServlet

For BASIC authentication:

http://<host>:<port>/smcfs/interop/AuthorizationOnlyApiServlet

where <host> refers to the Promising server instance of Sterling Order Management System Software.
file.encoding Set the value of this property to UTF-8.
yif.mime.boundary Set the value of this property to JJKHASDksks9485978Ksdamma9037.
yfs.context.namespace Set the value of this property to &YFS_CONTEXT_NAMESPACE;.
prms.integration.app.userid Enter a user id for authentication. For example:

prms.integration.app.userid=<prmsappuser>

Note: The same user id must be used in the web.xml file of the Promising server when configuring the AuthorizationOnlyApiServlet.
prms.integration.app.password Enter a password for authentication. For example:

prms.integration.app.password=<prmsappuserpassword>

Note: The password must belong to the same username that was used in the web.xml file of the Promising server when configuring the AuthorizationOnlyApiServlet.
Note: prms.integration.app.userid and prms.integration.app.password must be included in the yifclient.properties file.

Creating and authorizing users

When you run the Promising server Activator in non-enterprise mode on both the Order server and Promising server, an application user, PRMSIntegrationUser, is created with the required permissions to access the Promising server.