Securing a REST-based integration in IBM App Connect

Learn how to secure HTTPS ingress by using client basic authentication on a REST-based integration application in IBM® App Connect.

Note: This tutorial assumes that you have a running App Connect Dashboard instance that was created within an IBM Cloud Pak for Integration environment.

Scenario

You want to create a REST-based integration that is secured by using HTTPS with client basic authentication.

First, find or create everything you need

  1. Download the set of sample files: cp4i-https-basic-auth.zip.

    This ZIP archive contains a BAR file with a basic REST integration and a set of configuration files for setting up the system.

  2. Extract the contents of the ZIP archive to a directory that you can use for working through the tutorial. The ZIP archive contains the following contents:
    • CustomerDatabaseV1.bar: A BAR file that contains a simple REST-based integration
    • forceServerHTTPSecurityProfile: A policy project (in a subdirectory), which will be used to configure the basic authentication security
    • https-policyproject.zip: A ZIP file that contains the forceServerHTTPSecurityProfile subdirectory
    • https-keystore.p12: A keystore that contains self-signed server certificates
    • https-server.conf.yaml: A file that contains override properties to enforce HTTPS and the use of the provided security policy on the BAR file integration
    • https-setdbparms.txt: A file that defines the credentials to use for basic authentication and for accessing the keystore
    • update_configurations_for_https_basic_auth.sh: A script that shows how to create or update configurations by using the Red Hat® OpenShift® CLI (oc)

Next, create an integration server that is configured for secure HTTPS access

You will now use the App Connect Dashboard to configure an integration server to expose an HTTPS endpoint. The example flow is very simple and exposes a CRUD interface to a simple in-memory database that contains customer details. The same configuration could be used for far more complex integrations that include interactions with other external systems.

You will set up a keystore that the integration server can use to prove its identity to connecting clients. In this tutorial, the supplied sample keystore is self signed with an invalid domain (example.com) that is intended for demonstrative purposes only. When you connect by using commands such as curl, you will have to accept the insecure certificate. If you would prefer to use a secure keystore, you can replace the sample keystore with a keystore that includes a correctly signed certificate.

The https-policyproject.zip file contains a policy project called forceServerHTTPSecurityProfile, which in turn contains a SecurityProfiles-SecProfLocal policy that has basic authentication enabled. This security policy will be used for clients that connect to the integration server.

The https-server.conf.yaml file is set up to use the supplied security policy and to also use the supplied keystore for the server's certificate.

The https-setdbparms.txt file contains a user name and password that will be used to check the basic authentication details for a connecting client.

Procedure

To create the integration server and configure it with HTTPS and client basic authentication, complete the following steps:

  1. From your App Connect Dashboard instance, click the Dashboard icon in the navigation pane.
  2. On the Servers page, click Create server.
  3. Choose Quick start integration as the type of integration and click Next.
  4. Provide CustomerDatabaseV1.bar as the BAR file that you want to deploy and click Next.
  5. From the Configuration view, use the Create configuration button to create each of the following configurations in turn, ensuring the names are as given:
    1. Select server.conf.yaml as the type and upload the https-server.conf.yaml file. Name the configuration https-server.conf.yaml.
    2. Select Policy project as the type and upload the https-policyproject.zip file. Name the configuration https-policyproject.zip.
    3. Select setdbparms.txt as the type and upload the https-setdbparms.txt file. Name the configuration https-setdbparms.txt.
    4. Select Keystore as the type and upload the https-keystore.p12 file. Name the configuration https-keystore.p12. It is important that you set the name to https-keystore.p12 because the https-server.conf.yaml file contains a reference to that name.
  6. Select all of the new configurations that you created and then click Next.
  7. Define the following details for the integration server:
    1. Give the integration server the name https-basic-auth.
    2. Ensure that the Designer flows mode is set to disabled, which is required when deploying a Toolkit integration.
    3. Set the application transport for the integration endpoint to https.
    4. Click Create. The integration server should start and expose the HTTPS input that drives the integration's CRUD operations. (You might need to refresh the page to see the Started state on the integration server's tile.)

Finally, test your flow

To test your flow, complete the following steps:

  1. Locate the URL that can be used to invoke a GET operation against the integration server:
    1. Click the https-basic-auth tile for the integration server in the dashboard.
    2. Click the CustomerDatabaseV1 tile for the application within the server.
    3. Click GET /customers and copy the displayed path. This path will return all customers from the sample integration flow.
  2. Run the following curl command, ensuring that you replace the URL portion with the URL that you copied for the GET /customers operation.
    curl -X GET "https://hostname/customerdb/v1/customers" -kv -u aceuser:changeit

The verbose command should display the self signed certificate details (which will be identified as insecure), and the REST call should complete successfully to display an array of customers.

Conclusion

This tutorial has shown how to secure an integration by using basic authentication over HTTPS. You can modify the tutorial to use a keystore that contains a properly signed certificate that was created by using a certificate authority (CA) that you trust. You can also modify the https-setdbparms.txt file to use any password that you require for the basic authentication check.

If preferred, you can use the Red Hat OpenShift CLI to create or update the configurations in the system. The supplied update_configurations_for_https_basic_auth.sh script creates or updates the required configurations by using the oc apply -f command and then causes the integration server to do a rolling restart to pick up the changes. You can modify this script to create any number of different configurations that you require.

To use the script, run oc login to log in to the cluster and project where the Dashboard instance is installed and then execute the script. It will compress the policy project into a ZIP archive and then create or update each configuration object in the cluster. The script will then modify the integration server deployment to cause a rolling restart of the integration servers.