Configuring communication between the order server and promising server
The Order server communicates with the Promising server through the
AuthorizationOnlyApiServlet
.
Configuration includes:
- Enabling access to the servlet
- Restricting access to an authorized username
- Configuring properties on the Order server
Enabling access to the AuthorizationOnlyApiServlet
To
enable access to AuthorizationOnlyApiServlet
, edit
the web.xml
file of the deployed Promising server
EAR to include the following:
<context-param>
<param-name>bypass.uri.X</param-name>
<param-value>/interop/AuthorizationOnlyApiServlet</param-value>
</context-param>
<context-param>
<param-name>request.validation.bypass.uri.yfc.X</param-name>
<param-value>/interop/AuthorizationOnlyApiServlet</param-value>
</context-param>
<servlet id="Servlet_X">
<servlet-name>AuthorizationOnlyApiServlet</servlet-name>
<servlet-class>com.yantra.interop.client.AuthorizationOnlyApiServlet</servlet-class>
</servlet>
<servlet-mapping id="ServletMapping_X">
<servlet-name>AuthorizationOnlyApiServlet</servlet-name>
<url-pattern>/interop/AuthorizationOnlyApiServlet</url-pattern>
</servlet-mapping>
where
X is
a numerical value.
web.xml
file.Restricting access to the AuthorizationOnlyApiServlet
To restrict access to the AuthorizationOnlyApiServlet
,
edit the web.xml
file of the deployed Promising server
EAR:
<security-constraint>
<web-resource-collection>
<web-resource-name>AuthorizationOnlyApiServlet</web-resource-name>
<url-pattern>/interop/AuthorizationOnlyApiServlet</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>prmsappuser</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>default</realm-name>
</login-config>
<security-role>
<role-name>prmsappuser</role-name>
</security-role>
Notes:
- In the above coding, replace prmsappuser with the same user name that was used when creating a new user and group at the application server where the Promising server EAR will be deployed.
- In the above coding, replace default with the realm name of prmsappuser.
- Set up the appropriate authentication mechanism (BASIC, SSL, or CLIENT-CERT) in the <auth-method> tag.
Configuring application servers
Configuring WebLogic
The following configurations have to be made on a WebLogic application server:
- Make the following changes in the
weblogic.xml
of IBM® Sterling Order Management System Software EAR.<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE weblogic-web-app PUBLIC "-//BEA Systems, Inc.//DTD Web Application 8.1//EN" "http://www.bea.com/servers/wls810/dtd/weblogic810-web-jar.dtd"> <weblogic-web-app> <security-role-assignment> <role-name>prmsappuser</role-name> <principal-name>prmsappuserGroup</principal-name> </security-role-assignment> </weblogic-web-app>
Note: When setting up the Users and Groups, ensure that the user name is the same as that provided in the role-name tag of theweb.xml
file of the Promising server. - Refer to the application server documentation to set up the authentication
mechanism that you are using and that is mentioned in the
web.xml
file.
Configuring WebSphere
- Ensure that you have a deployment manager with administrative security turned on.
- Deploy the Sterling Order Management System Software in a server within the deployment manager.
- In Users and Groups>Manage Groups and Manage
Users, create Users and Groups.
Ensure that the user name is the same as provided in the
role-name
tag of theweb.xml
file of the Promising server, and assign them to this group. - In Enterprise Applications (Promising Server) >
Security role to user/group mapping. WebSphere reads the
web.xml
file and populates the user role in the table. Map the user role to the group created in step 3. - In Security, click Global security.
Select the Enable application security checkbox.
- Refer to the application server documentation to set up the authentication
mechanism that you are using and that is mentioned in the
web.xml
file.
Configuring JBoss
Perform the following configurations on Sterling Order Management System Software:
- The JBoss application server accepts the https connections with
certificates. Define a port for the https connection as follows:
<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false"> . . . <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true"> <ssl password="<>" certificate-key-file="<>" verify-client="want" ca-certificate-file="<>" /> </connector> . . . </subsystem>
- Enforce the client certificate. Edit the
<JBOSS_HOME>\standalone\configuration\standalone-full.xml
file to define a security domain with the following details:<security-domain name="<domain_name>" cache-type="default"> <authentication> <login-module code="CertificateRoles" flag="required"> <module-option name="password-stacking" value="useFirstPass"/> <module-option name="securityDomain" value="java:/jaas/<domain_name>"/> <module-option name="rolesProperties" value="<full_path_to_application-roles.properties>"/> <module-option name="principalClass" value="org.jboss.security.auth.certs.SubjectCNMapping" /> </login-module> </authentication> <jsse keystore-password="<>" keystore-url="<Path_ToKeystore>" truststore-password="<>" truststore-url="<Path_ToTrustStore>"/> </security-domain>
Note: The above configuration will create a security domain with the name "domain_name". The value of KeystoreURL will contain the path to the keystore which has the certificates to be trusted by Sterling Order Management System Software. - Provide a user-role name mapping. For example: prmsappuser=prmsappuser.
For more information, refer to JBoss Tuning.Note:
- The role name defined in role.properties file and the CN in the identity certificate of the order server should be same as the role-name that is used in the web.xml.
- Ensure that the user name and the CN are in lower case.
- Ensure that the KeyStoreURL used above has the complete "client certificate" added into it under the alias which is same as the CN of the identity certificate of the order server.
- Assign the newly created security domain to the Sterling Order Management System Software by creating the jboss-web.xml in the WEB-INF to
include the following:
<jboss-web> <security-domain>java:/jaas/<domain_name></domain_name> </jboss-web>
- Refer to the application server documentation to set up the authentication
mechanism that you are using and that is mentioned in the
web.xml
file.
Configuring properties on the order server
Configure
the following properties in the yifclient.properties
file
on the Order server and rebuild the resources.jar
file
before building the EAR file:
Property | Description |
---|---|
endpoint.PROMISINGSERVER.yif.apifactory.protocol |
Set the value of this property to HTTPS when
using two-way SSL authentication. Set the value of this property to HTTP when using BASIC authentication. |
endpoint.PROMISINGSERVER.yif.httpapi.url |
Set the value to the URL for AuthorizationOnlyApiServlet . For two-way SSL authentication:
For BASIC authentication:
where |
file.encoding |
Set the value of this property to UTF-8. |
yif.mime.boundary |
Set the value of this property to JJKHASDksks9485978Ksdamma9037. |
yfs.context.namespace |
Set the value of this property to &YFS_CONTEXT_NAMESPACE;. |
prms.integration.app.userid |
Enter a user id for authentication. For example:
Note: The
same user id must be used in the
web.xml file of
the Promising server when configuring the AuthorizationOnlyApiServlet . |
prms.integration.app.password |
Enter a password for authentication. For example:
Note: The
password must belong to the same username that was used in the
web.xml file
of the Promising server when configuring the AuthorizationOnlyApiServlet . |
Note:
prms.integration.app.userid and prms.integration.app.password must
be included in the yifclient.properties file. |
Creating and authorizing users
When you
run the Promising server Activator in non-enterprise mode on both
the Order server and Promising server, an application user, PRMSIntegrationUser
,
is created with the required permissions to access the Promising server.