BMC Communities Banner
Up to Discussions in Atrium Orchestrator

This Question is Answered

1 "helpful" answer available (5 pts)
3 Replies Last post: Nov 17, 2009 11:43 PM by relliott  
Annu Participant
Annu
15 posts since
Oct 29, 2009
Currently Being Moderated

Nov 17, 2009 3:53 AM

Client authentication true in SSL communication for AO webservices

Hi All,

 

I am trying to test SSL communication between a process (exposed as Webservice on AO server) and an AO client to that web service. I have succeeded in communication with client authentication as false (clientAuth="false") in the server.xml by following the steps mentioned in RBA run book installation guide.

 

Now I want to try the communication for clientAuth="true". In this scenario, the client also needs to own a certificate which should be entered into the trust store of the server. I have done this for IE but how do I create a certified AO client.

 

I have tried seraching the knowledge base but could not find much information about client authentication.

 

PLease suggest where I can find more information on this.

 

Thanks!

Annu

Tags: client_authentication, atrium_orchestrator, web_service, web_service_client
relliott HotShot
relliott
69 posts since
Feb 12, 2008
Currently Being Moderated
1. Nov 17, 2009 2:59 PM in response to: Annu
Re: Client authentication true in SSL communication for AO webservices

Annu,

 

What you need to do is the following:

 

1) Within Internet Explorer (IE) navigate to the https Grid manager web page of the secure BAO environment. 

2) Within IE view the page properties and click the "Certificates" Button

3) On the Details tab click the "Copy to File..." button

4) Follow the Wizard and save the certificate to a file in the DER encoded binary X5.09 (.CER) format

 

On the client system (be it an Atrium Orchestrator Peer (BAO), Development Studio (Dev Studio), or some other Java based program) we now need to import the certificate into the keystore.  Several things to note here before we get into the instructions are:

 

a) If you have never changed the password for a Sun keystore before then the default password is "changeit", and the keystore file is usually held under the JRE lib\security folder and named cacerts.

b) You may have more than one Sun JDK/JVM installed which one is the product (BAO) using?

c) The following instructions need to be done on each peer and Dev Studio machine as well if you want to use the generate Workflow from WSDL.

d) You can skip all of these instructions if your company uses "Real" certificates from one of the Sun supported Vendors such as Verisign on you BAO environment.

 

So to import the certificate within a Sun JVM:

1) Locate the keytool.exe program held within the bin folder of the JRE or JDK you want to import the certificate into

2) Issue the command shown below, assumes the certificate you saved is in the root of the C: drive and called bao.cer, and for this example the path to the keystore file is C:\Program Files\Java\jre6\lib\security\cacerts

 

keytool -importcert -alias baoenv1 -file c:\bao.cer -keystore "C:\Program Files\Java\jre6\lib\security\cacerts" -storepass changeit

 

3) Restart BAO or Dev Studio and it should pick up the imported certificate.

4) If it does not then it may be using a different JDK/JRE (and as such keystore file), so if in doubt you can add the cert to any and all keystore files, or look at the BAO ".lax" and Dev Studio configuration files to figure out which JDK/JRE they were installed to use.

 

Regards,

 

Robin.

Report Abuse
Annu Participant
Annu
15 posts since
Oct 29, 2009
Currently Being Moderated
2. Nov 17, 2009 10:37 PM in response to: relliott
Re: Client authentication true in SSL communication for AO webservices

Thanks a lot for the detailed description Robin. I have tried the steps successfully

 

But there is still one doubt, is this not the server side authentication and not the client side authentication?

In this case, we are generating a server side certificate and importing it into the client. This, I think, is the server side authentication. For client side authetication, one needs to generate a client side certificate and import it into the server.

 

Am I thinking on correct lines here? Please suggest!

 

And once again, I am grateful for your quick and descriptive responses.

 

Regards,

Annu

Report Abuse
relliott HotShot
relliott
69 posts since
Feb 12, 2008
Currently Being Moderated
3. Nov 17, 2009 11:43 PM in response to: Annu
Re: Client authentication true in SSL communication for AO webservices

Annu,

 

Specific to calling BAO Web Services, the user authentication that is required cannot currently be tied to client provided certificates.

 

The request will always need to include the user and password in the headers so that they can be authenticated against either the default BAO user realm or an LDAP/AD realm configuration within Access Manager.

 

You could always approach BAO Product Management with an enhancement request if this is a key feature that you are looking for (Thomas_Corfmat@bmc.com) with regards to associating client side certificates with users and roles?

 

Regards,

 

Robin.

Report Abuse

Advertisement

More Like This

  • Retrieving data ...