Configuring Secure Connections

For information about the SSL configuration of the Remote Connector, refer to Configuring a Secure Connection to the INUBIT Process Engine.

Configuring SSL Connections and Server Authentication

You can secure the communication between the INUBIT Process Engine and clients such as the INUBIT Workbench by using the HTTPS protocol, which is secured by SSL/TLS.

When using HTTPS, the INUBIT Process Engine and the Enterprise Portal or the INUBIT Process Engine and a web service consumer communicate via encrypted data. Additionally, clients (e.g. INUBIT Workbench, web browsers) can verify the certificate of the server (e.g. INUBIT Process Engine, Enterprise Portal) to authenticate the connection.

As operator of the INUBIT Process Engine, you create the keystore. A keystore contains certificates with the corresponding public keys and the private key belonging to the certificate. The public key is part of the certificate that the client uses to authenticate the server.

Configure the HTTPS connection and deposit the keystore in the INUBIT Process Engine.

Based on the domain, the keystore is searched for a certificate with the corresponding alias. Name your keystore by the DNS name so that it can be found.

The server certificate is deposited in the so-called trust store at the client (e.g. INUBIT Workbench) and, there, you also configure the HTTPS connection. In contrast to the keystore, the trust store contains certificates only.

In this way, the INUBIT Process Engine can access the private key and the INUBIT Workbench can access the certificate, by means of a public key.

Normally, the SSL connection between client and server is already terminated at the LoadBalancer. This can be sufficient if the connection between the LoadBalancer and the instance behind it is established in a secure network. In addition, the configuration between the LoadBalancer and the instance can be secured via SSL. Information on the SSL configuration of the LoadBalancer used can be found in its manual.

Proceed as follows

Create a keystore and a self-signed certificate. To do so, call up the keytool via the command line in the directory <inubit-installdir>/_jvm/bin/keytool.exe.

The following parameters generate a keystore ibis_demo_keystore with a self-signed certificate with a public key. When generating, assign one password for the keystore and one the certificate. Adjust the parameter values to your own IT environment (except -alias):
```
keytool -genkey
-alias tomcat
-dname "CN=server.domain.com, O=Example Inc, C=DE"
-keystore ./keys/inubit_demo_keystore.jks
-keyalg RSA
```

Extract the certificate:

keytool
-export
-alias tomcat
-storepass PasswordKeystore
-keystore ./keys/inubit_demo_keystore.jks
-file ./keys/inubit_demo_certificate.crt

Configure the INUBIT Process Engine. To do this, open the following configuration file:
<inubit‑installdir>/server/process_engine/conf/server.xml
and navigate to the default connector path.

<Connector
        port="8443"
        protocol="org.apache.coyote.http11.Http11Nio2Protocol"
        maxThreads="150"
        SSLEnabled="true">
    <SSLHostConfig>
        <Certificate
            certificateKeystoreFile="conf/localhost-rsa.jks"
            certificateKeystorePassword="change it"
            type="RSA" />
    </SSLHostConfig>
</Connector>

The type of certificate must be compatible. It must be one of UNDEFINED, RSA, DSA or EC.

If only one Certificate is nested within a SSLHostConfig then type attribute is not required and will default to UNDEFINED. If multiple Certificates are nested within a SSLHostConfig then type attribute is required and each Certificate must have a unique type.

Edit the following parameters:
- certificateKeystoreFile
  
  Enter the full path to the RSA keystore file of the certificate.
- certificateKeystorePassword
  
  Enter the password for the RSA keystore file of the certificate.
Restart the INUBIT Process Engine.
Add the certificate to the client’s truststore.

The server authentication is only done when it is selected in the Workbench and the added certificate contains a private key.

With the following command you copy the certificate to the client computer and import it to the truststore:
```
keytool
-import
-alias tomcat
-file ./keys/inubit_demo_certificate.crt
-keystore ./keys/inubit_demo_truststore.jks
```
Confirm the call back Trust this certificate?
If you use a self-signed certificate, you need to declare the truststore for Java, because the Java framework checks the server certificate’s reliability. If the truststore is not declared, the communication with the INUBIT Process Engine via HTTPS fails, for example when loading documents from the INUBIT Process Engine via the XSLT function document() or when loading a URL in the XML Editor.

The truststore must be declared in the start script of the INUBIT Process Engine and the INUBIT Workbench:
1. Open the start script of the INUBIT Process Engine: <inubit-installdir>/inubit/server/process_engine/bin/setenv.[bat|sh]
2. Open the INUBIT Workbench start script in <inubit-installdir>/inubit/client/bin/start_local.[bat|sh].
3. Add the following and adjust the path to your truststore:
  - Windows
    
    set JVM_PARAMS=%JVM_PARAMS% -Djavax.net.ssl.trustStore=<path-to-truststore>\inubit_demo_truststore.jks
  - Linux
    
    JVM_PARAMS="$JVM_PARAMS -Djavax.net.ssl.trustStore=<path-to-truststore>/inubit_demo_truststore.jks"
To view the content of the truststore, use the following command:
```
keytool
-keystore ./keys/inubit_demo_truststore.jks
-list
-v
```
Restart the INUBIT Workbench.
For the SSL configuration create a new login profile based on an HTTPS connection, for example https://<server>:<port>/ibis/servlet/IBISSoapServlet, and enter the path of the truststore file.

Refer to Creating and Deleting Login Profiles

Configuring INUBIT Process Engine using NIO Implementation

Recommended structure by Apache Tomcat.

Prerequisites

You have implemented steps 1 and 2, refer to Configuring SSL Connections and Server Authentication
You have opened the configuration file <inubit-installdir>/inubit/server/process_engine/conf/server.xml

Proceed as follows

Remove the annotation marks of the NIO structure example:

<Connector
        port="8443"
        protocol="org.apache.coyote.http11.Http11Nio2Protocol"
        maxThreads="150"
        SSLEnabled="true">
    <SSLHostConfig>
        <Certificate
            certificateKeystoreFile="conf/localhost-rsa.jks"
            certificateKeystorePassword="change it"
            type="RSA" />
    </SSLHostConfig>
</Connector>

Edit the following parameters:
- certificateKeystoreFile
  
  Enter the full path to the RSA keystore file of the certificate.
- certificateKeystorePassword
  
  Enter the password for the RSA keystore file.
Continue with step 4, refer to Configuring SSL Connections and Server Authentication

Configuring INUBIT Process Engine using APR/Native Implementation

Prerequisites

You have implemented steps 1 and 2, refer to Configuring SSL Connections and Server Authentication
You have opened the configuration file <inubit-installdir>/inubit/server/process_engine/conf/server.xml

Proceed as follows

Remove the annotation marks of the APR/native structure example:

<Connector
        port="8443"
        protocol="org.apache.coyote.http11.Http11AprProtocol"
        maxThreads="150"
        SSLEnabled="true">
    <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
    <SSLHostConfig>
        <Certificate
            certificateKeyFile="conf/localhost-rsa-key.pem"
            certificateFile="conf/localhost-rsa-cert.pem"
            certificateChainFile="conf/localhost-rsa-chain.pem"
            type="RSA" />
    </SSLHostConfig>
</Connector>

Edit the following parameters:
- certificateKeystoreFile
  
  Enter the full path to the RSA keystore file of the certificate.
- certificateFile
  
  Enter the full path to the RSA certificate file.
- certificateChainFile
  
  Enter the full path to the RSA certificate chain file.
Continue with step 4, refer to Configuring SSL Connections and Server Authentication

Configuring INUBIT Process Engine using old style

Prerequisites

You have implemented steps 1 and 2, refer to Configuring SSL Connections and Server Authentication
You have opened the configuration file <inubit-installdir>/inubit/server/process_engine/conf/server.xml

Proceed as follows

Use this example:

<Connector
    port="8443"
    protocol="HTTP/1.1"
    URIEncoding="UTF-8"
    connectionTimeout="20000"
    maxThreads="150"
    minSpareThreads="25"
    maxSpareThreads="75"
    enableLookups="false"
    acceptCount="100"
    compression="on"
    compressionMinSize="2048"
    compressableMimeType="text/html,text/xml,text/javascript"
    server="Apache"
    emptySessionPath="true"
    SSLEnabled="true"
    scheme="https"
    secure="true"
    clientAuth="false"
    sslProtocol="TLS"
    keystoreFile="/absolute/path/to/keystore.jks"
    keystorePass="changeit"
    keyAlias="chageit"
    ciphers="TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_
    256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WIT
    H_AES_256_GCM_SHA384">
    ...
</Connector>

Add the list of cipher names each separated by comma.
Edit the following parameters:
- keystoreFile
  
  Enter the full path to the keystore file (private key and certificate).
- keystorePass
  
  Enter the password for the keystore file.
- keyAlias
  
  Alias name of the keystore entry. If this entry is missing, tomcat or the first entry in the keystore is used.
Continue with step 4, refer to Configuring SSL Connections and Server Authentication

Activating Traces for HTTPS Connections

In order to obtain meaningful traces for HTTPS connections between INUBIT Workbench and INUBIT Process Engine, the start scripts of the two components can be adjusted.

Proceed as follows

Close the INUBIT Workbench and stop the INUBIT Process Engine.
Open the following start scripts:
- INUBIT Workbench
  
  <inubit-installdir>/inubit/client/bin/start_local.[bat|sh]
- INUBIT Process Engine
  
  <inubit-installdir>/inubit/server/process_engine/bin/setenv.sh

Insert the following lines:

INUBIT Workbench:

set JAVA_PARAMS=%JAVA_PARAMS% -Djavax.net.debug= ssl,handshake,data,trustmanager

INUBIT Process Engine:

set JAVA_PARAMS=%JAVA_PARAMS% -Djavax.net.debug=ssl,handshake,data,trustmanager

Restart the INUBIT Process Engine and the INUBIT Workbench.

Configuring a HTTP/HTTPS Proxy Server for INUBIT Workbench and/or INUBIT Process Engine

Proxy-Servers can be used for the HTTP(S) communication between

the INUBIT Workbench and the INUBIT Process Engine,
the INUBIT Process Engine and remote computers,
Remote Connectors and other remote computers.

External files (WSDLs, URLs etc.) don’t need to be reachable from the INUBIT Workbench because they are always loaded via the INUBIT Process Engine.

A proxy server can be used for aims like

Increasing security

Computers on the local network should not have direct Internet access; a proxy server may be used as an interface between the two networks.
Bandwidth control

The proxy server may allocate different resources to different user groups dependent upon utilization.

Configuring a Proxy Server between INUBIT Workbench and INUBIT Process Engine

Proceed as follows

Stop the INUBIT Workbench.
Open the start script <inubit-installdir>/inubit/client/bin/start_local.[bat|sh].

Insert the lines matching to your protocol and adjust the values:

HTTP

set JAVA_PARAMS=%JAVA_PARAMS% -Dhttp.proxyHost=Proxy_IP_or_URL
set JAVA_PARAMS=%JAVA_PARAMS% -Dhttp.proxyPort=8080
set JAVA_PARAMS=%JAVA_PARAMS% -Dhttp.proxyUserName=username
set JAVA_PARAMS=%JAVA_PARAMS% -Dhttp.proxyPassword=password
set JAVA_PARAMS=%JAVA_PARAMS% -Dhttp.nonProxyHosts=*.yourcompany.com

HTTPS

set JAVA_PARAMS=%JAVA_PARAMS% -Dhttps.proxyHost=Proxy_IP_or_URL
set JAVA_PARAMS=%JAVA_PARAMS% -Dhttps.proxyPort=8080
set JAVA_PARAMS=%JAVA_PARAMS% -Dhttps.proxyUserName=username
set JAVA_PARAMS=%JAVA_PARAMS% -Dhttps.proxyPassword=password
set JAVA_PARAMS=%JAVA_PARAMS% -Dhttps.nonProxyHosts=*.yourcompany.com

Restart the INUBIT Workbench.

Configuring Proxy Server between INUBIT Process Engine and Remote Computers

In some networks HTTP and HTTPS accesses are possible only via a proxy server. You configure this proxy server centrally at the INUBIT Process Engine.

Additionally, you can make exceptions, that means, define remote computers that are connected to directly and not via the proxy server.

Use a proxy server if there are errors when publishing and deploying Web Service Input Listeners Medium Connectors with external access to XML Schemas.

Proceed as follows

In the INUBIT Workbench open the tab Administration > General Settings > Administration > Proxy configuration category.

Check the Use proxy configuration option to activate the proxy settings to activate the following options. If you deactivate the Use proxy configuration after having configured proxy settings, your proxy configuration is preserved, but is not used anymore.

The values in this configuration overwrite the values set in the start script. If you leave the value for Server blank and activate the Use proxy configuration option, no proxy is used. You find the start scripts under <inubit-installdir>/inubit/server/process_engine/bin/setenv.[bat|sh].

Define your proxy settings. Click an option to display its explanation.
Save your changes.

Changing HTTP/HTTPS Ports

If necessary, you may change the HTTP(S) port of your INUBIT Process Engine. The following port numbers are given by default for the INUBIT Process Engine:

HTTP: 8000
HTTPS: 8443

Proceed as follows

Open the configuration file corresponding to your operating system:

<inubit-installdir>/inubit/server/process_engine/conf/server.xml
Change the ports.
Save your changes.
Restart the INUBIT Process Engine.

When having changed the port(s) in the server.xml file, you have to change the port number in the check_is_status.[sh|bat] file in the following directories, depending on your installation:

<inubit-installdir>/inubit/server/process_engine/bin <inubit-installdir>/inubit/client/bin

For this purpose, change the following line:

set START_URL=https://<server>:<port>

When using another protocol as HTTP and/or another hostname as localhost, you have to adjust these values as well.