DEV Community

Mariela Dimitrova for Software AG Tech Community

Posted on • Originally published at tech.forums.softwareag.com on

SSL two-way authentication using Universal Messaging

Introduction:

Using Universal Messaging, the user should be able to create Two-way SSL authentication (UM authenticates itself via certificate and require IS to authenticate itself with certificate). This article details the steps on creating the two-way SSL connection alias and publish and subscribe messages using Integration server.

Pre-Requisites

  1. Generate server key,cert, keystore and truststore files using OpenSSL and by following below commands:
  2. openssl genrsa -out diagserverCA.key 2048
  3. openssl req -x509 -new -nodes -key diagserverCA.key -sha256 -days 1024 -out diagserverCA.pem
  4. openssl pkcs12 -export -name server-cert -in diagserverCA.pem -inkey diagserverCA.key -out serverkeystore.p12
  5. keytool -importkeystore -destkeystore server.keystore -srckeystore serverkeystore.p12 - srcstoretype pkcs12 -alias server-cert
  6. keytool -import -alias client-cert -file diagclientCA.pem -keystore server.truststore
  7. keytool -import -alias server-cert -file diagserverCA.pem -keystore server.truststore
  8. Generate client key,cert, keystore and truststore files using OpenSSL and by following below commands
  9. openssl genrsa -out diagclientCA.key 2048
  10. openssl req -x509 -new -nodes -key diagclientCA.key -sha256 -days 1024 -out diagclientCA.pem
  11. openssl pkcs12 -export -name client-cert -in diagclientCA.pem -inkey diagclientCA.key -out clientkeystore.p12
  12. keytool -importkeystore -destkeystore client.keystore -srckeystore clientkeystore.p12 - srcstoretype pkcs12 -alias client-cert
  13. keytool -import -alias server-cert -file diagserverCA.pem -keystore client.truststore
  14. keytool -import -alias client-cert -file diagclientCA.pem -keystore client.truststore

Creating server and client configuration in IS and UM

Once we have generated the client and server keystore files we can configure them in IS and UM as shown below.

Configurating Keystore and Truststore alias in IS:

• In IS, navigate to Security> Keystore page and click on Create keystore alias and enter the

below values

Alias : mqttKeystore

Type: PKCS12

Provider: SUN

Location: Complete path of Client keystore file

Password: Client Keystore password

• Similarly create Truststore alias by navigating to Security> Keystore page and click on Create

truststore alias and enter the below values

Alias: mqttTruststore

Type: JKS

Provider: SUN

Location: Complete path of Client truststore file

Password: Client truststore password

image

image

Configuring server certificates in UM:

• In Enterprise Manager, navigate to the ‘Comms’ tab and click on '‘Add Interface’ button

• Select Type as nsps and enter port 8883 and save changes

• Select the newly added row for 8883 port and navigate to certificates sub-tab

• Update the values as mentioned as below

Key store path: Complete path of server keystore

key store password

Trust store path: Complete path of server truststore

Trust store password: server truststore password

Private key password: key password

CA store password: truststore password

image

Creating and enabling the 2way SSL connection

image

image

Verifying publish and Subscribe of messages to topic on UM using Integration Server

• Launch designer and connect to integration sever.

• Create package and folder MQTT and MQTT_Test in designer

• Create publish flow service in MQTT_Test folder using the built-in

service pub.mqtt:publish.

image

image

• Create another flow service subscribe to check the server log in integration server if the message is successfully subscribed from MQTT Server Topic

image

image

image

• Integration Server can subscribe to topics by creating an MQTT trigger. The MQTT trigger receives messages published to the topic on the MQTT server and then invokes a trigger service to process the messages.

•Integration Server uses an MQTT connection alias to create a connection to the MQTT server. An invocation of the pub.mqtt:publish service requires the MQTT connection alias to publish the message to the MQTT server. Similarly, an MQTT trigger specifies the MQTT connection alias that it uses to identify the MQTT server from which it retrieves messages and on which the trigger creates subscriptions.

image

• Run the Publisher service

image

Verify message in server log of integration server

image

Read full topic

Top comments (0)