Securing outbound communications between Process Federation Server and federated systems

Draft comment:
This topic only applies to BAW, and is located in the BAW repository. Last updated on 2025-03-13 12:15
Process Federation Server communicates with each federated system by using REST services. Configure the Process Federation Server for secure communications between Process Federation Server and each of the federated REST endpoints.

Before you begin

Ensure that signer certificates are available for each of the systems in the federated environment. In a production environment, use a trusted certificate authority (CA) signer certificate.
In a development or test environment, you might decide not to secure outbound communications because the REST endpoints allow HTTP communication. However, if you want to secure outbound communications, and are not using CA-signed certificates, you must obtain the signer certificate from one of the following locations:
  • If your development or test environment communicates directly with a federated system, you can get the system signer certificate in one of the following ways:
    • Use the administrative console to extract the signer certificate. See Personal certificates collection External link opens a new window or tab.
    • Use the PFSSecurityUtility.py script to create a keystore and truststore that are based on the signer certificate.
  • If your development or test environment communicates with the federated system through an IBM® HTTP Server, get the signer certificate from the IBM HTTP Server by using the IKEYMAN utility. See Securing with SSL communications External link opens a new window or tab.

About this task

Outbound communications between Process Federation Server and federated REST endpoints are secured with the Secured Sockets Layer (SSL) protocol.

The Liberty server.xml file contains the SSL configuration settings for Process Federation Server. The server.xml that is provided as a template includes a default SSL configuration, and a default keystore. You can configure a truststore for the signer certificates, so that communication can be secured with the REST endpoints.

To manage the Process Federation Server truststore, use your JVM’s keytool utility, or the IBM HTTP Server IKEYMAN utility.

Procedure

  1. Add the signer certificate for each federated system to the Process Federation Server truststore.
    In a development or test environment, use the Process Federation Server keystore as both the keystore and truststore to simplify configuration. In a production environment, use a separate truststore.
    Use one of the following utilities to optionally create a new truststore and to import the signer certificate into your truststore:
    • Your JVM’s keytool utility
    • IBM HTTP Server IKEYMAN utility
    • In a development or test environment, you can use the PFSSecurityUtility.py script to create a combined Process Federation Server keystore and truststore that is based on the system certificate:
      1. Copy the script from the pfs_install_root/ibmProcessFederationServer/wlp-ext/util directory to a federated system and get the list of utility commands and parameters:
        wsadmin -lang jython -host host_name -port port_number 
          -user user_id -password user_password 
          -f script_path/PFSSecurityUtility.py help
      2. Use the createKeyStore command to create a combined keystore and truststore, and a chained certificate that is signed by the root signer.
      3. Use the addSignerCertificate command for each additional federated system to retrieve the root signer certificate, and add it to the combined keystore and truststore.
  2. Update the Process Federation Server server.xml configuration file to point to the truststore that you configured in step 1.
    1. Open the server.xml configuration file for editing.
      By default, the configuration file is in the pfs_install_root/usr/servers/server_name directory on Process Federation Server.
    1. Update the keyStore element.
      Replace the default truststore values for the truststore filename and password properties with the values that you configured in step 1.
      <keyStore id="defaultTrustStore"  
                location="pfs_install_root/usr/servers/server_name/resources/security/new_truststore_filename"
                 password="password" />