Configuring Secure Connections

For information about the SSL configuration of the Remote Connector, refer to Configuring a Secure Connection to the INUBIT Process Engine.

Configuring SSL Connections and Server Authentication

You can secure the communication between the INUBIT Process Engine and clients such as the INUBIT Workbench by using the HTTPS protocol, which is secured by SSL/TLS.

When using HTTPS, the INUBIT Process Engine and the BPC Portal or the INUBIT Process Engine and a web service consumer communicate via encrypted data. Additionally, clients (e.g. INUBIT Workbench, web browsers) can verify the certificate of the server (e.g. INUBIT Process Engine, BPC Portal) to authenticate the connection.

As operator of the INUBIT Process Engine, you create the keystore. A keystore contains certificates with the corresponding public keys and the private key belonging to the certificate. The public key is part of the certificate that the client uses to authenticate the server.

Configure the HTTPS connection and deposit the keystore in the INUBIT Process Engine.

Based on the domain, the keystore is searched for a certificate with the corresponding alias. Name your keystore by the DNS name so that it can be found.

The server certificate is deposited in the so-called trust store at the client (e.g. INUBIT Workbench) and, there, you also configure the HTTPS connection. In contrast to the keystore, the trust store contains certificates only.

In this way, the INUBIT Process Engine can access the private key and the INUBIT Workbench can access the certificate, by means of a public key.

Normally, the SSL connection between client and server is already terminated at the LoadBalancer. This can be sufficient if the connection between the LoadBalancer and the instance behind it is established in a secure network. In addition, the configuration between the LoadBalancer and the instance can be secured via SSL. Information on the SSL configuration of the LoadBalancer used can be found in its manual.

Proceed as follows

  1. Create a keystore and a self-signed certificate. To do so, call up the keytool via the command line in the directory <inubit-installdir>/_jvm/bin/keytool.exe.

    The following parameters generate a keystore ibis_demo_keystore with a self-signed certificate with a public key. When generating, assign one password for the keystore and one the certificate. Adjust the parameter values to your own IT environment (except -alias):

    keytool -genkey
    -alias tomcat
    -dname "CN=server.domain.com, O=Example Inc, C=DE"
    -keystore ./keys/inubit_demo_keystore.jks
    -keyalg RSA
  2. Extract the certificate:

    keytool
    -export
    -alias tomcat
    -storepass PasswordKeystore
    -keystore ./keys/inubit_demo_keystore.jks
    -file ./keys/inubit_demo_certificate.crt
  3. Configure the INUBIT Process Engine. To do this, open the following configuration file:
    <inubit‑installdir>/server/process_engine/conf/server.xml
    and navigate to the default connector path.

    <Connector
            port="8443"
            protocol="org.apache.coyote.http11.Http11Nio2Protocol"
            maxThreads="150"
            SSLEnabled="true">
        <SSLHostConfig>
            <Certificate
                certificateKeystoreFile="conf/localhost-rsa.jks"
                certificateKeystorePassword="change it"
                type="RSA" />
        </SSLHostConfig>
    </Connector>

    The type of certificate must be compatible. It must be one of UNDEFINED, RSA, DSA or EC.

    If only one Certificate is nested within a SSLHostConfig then type attribute is not required and will default to UNDEFINED. If multiple Certificates are nested within a SSLHostConfig then type attribute is required and each Certificate must have a unique type.

  4. Edit the following parameters:

    • certificateKeystoreFile

      Enter the full path to the RSA keystore file of the certificate.

    • certificateKeystorePassword

      Enter the password for the RSA keystore file of the certificate.

  5. Restart the INUBIT Process Engine.

  6. Add the certificate to the client’s truststore.

    The server authentication is only done when it is selected in the Workbench and the added certificate contains a private key.

    With the following command you copy the certificate to the client computer and import it to the truststore:

    keytool
    -import
    -alias tomcat
    -file ./keys/inubit_demo_certificate.crt
    -keystore ./keys/inubit_demo_truststore.jks
  7. Confirm the call back Trust this certificate?

  8. If you use a self-signed certificate, you need to declare the truststore for Java, because the Java framework checks the server certificate’s reliability. If the truststore is not declared, the communication with the INUBIT Process Engine via HTTPS fails, for example when loading documents from the INUBIT Process Engine via the XSLT function document() or when loading a URL in the XML Editor.

    The truststore must be declared in the start script of the INUBIT Process Engine and the INUBIT Workbench:

    1. Open the start script of the INUBIT Process Engine: <inubit-installdir>/inubit/server/process_engine/bin/setenv.[bat|sh]

    2. Open the INUBIT Workbench start script in <inubit-installdir>/inubit/client/bin/start_local.[bat|sh].

    3. Add the following and adjust the path to your truststore:

      • Windows

        set JVM_PARAMS=%JVM_PARAMS% -Djavax.net.ssl.trustStore=<path-to-truststore>\inubit_demo_truststore.jks
      • Linux

        JVM_PARAMS="$JVM_PARAMS -Djavax.net.ssl.trustStore=<path-to-truststore>/inubit_demo_truststore.jks"
  9. To view the content of the truststore, use the following command:

    keytool
    -keystore ./keys/inubit_demo_truststore.jks
    -list
    -v
  10. Restart the INUBIT Workbench.

  11. For the SSL configuration create a new login profile based on an HTTPS connection, for example https://<server>:<port>/ibis/servlet/IBISSoapServlet, and enter the path of the truststore file.

    administration guide 209 1

Configuring INUBIT Process Engine using NIO Implementation

Recommended structure by Apache Tomcat.

Prerequisites

Proceed as follows

  1. Remove the annotation marks of the NIO structure example:

    <Connector
            port="8443"
            protocol="org.apache.coyote.http11.Http11Nio2Protocol"
            maxThreads="150"
            SSLEnabled="true">
        <SSLHostConfig>
            <Certificate
                certificateKeystoreFile="conf/localhost-rsa.jks"
                certificateKeystorePassword="change it"
                type="RSA" />
        </SSLHostConfig>
    </Connector>
  2. Edit the following parameters:

    • certificateKeystoreFile

      Enter the full path to the RSA keystore file of the certificate.

    • certificateKeystorePassword

      Enter the password for the RSA keystore file.

  3. Continue with step 4, refer to Configuring SSL Connections and Server Authentication

Configuring INUBIT Process Engine using APR/Native Implementation

Prerequisites

Proceed as follows

  1. Remove the annotation marks of the APR/native structure example:

    <Connector
            port="8443"
            protocol="org.apache.coyote.http11.Http11AprProtocol"
            maxThreads="150"
            SSLEnabled="true">
        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
        <SSLHostConfig>
            <Certificate
                certificateKeyFile="conf/localhost-rsa-key.pem"
                certificateFile="conf/localhost-rsa-cert.pem"
                certificateChainFile="conf/localhost-rsa-chain.pem"
                type="RSA" />
        </SSLHostConfig>
    </Connector>
  2. Edit the following parameters:

    • certificateKeystoreFile

      Enter the full path to the RSA keystore file of the certificate.

    • certificateFile

      Enter the full path to the RSA certificate file.

    • certificateChainFile

      Enter the full path to the RSA certificate chain file.

  3. Continue with step 4, refer to Configuring SSL Connections and Server Authentication

Configuring INUBIT Process Engine using old style

Prerequisites

Proceed as follows

  1. Use this example:

    <Connector
        port="8443"
        protocol="HTTP/1.1"
        URIEncoding="UTF-8"
        connectionTimeout="20000"
        maxThreads="150"
        minSpareThreads="25"
        maxSpareThreads="75"
        enableLookups="false"
        acceptCount="100"
        compression="on"
        compressionMinSize="2048"
        compressableMimeType="text/html,text/xml,text/javascript"
        server="Apache"
        emptySessionPath="true"
        SSLEnabled="true"
        scheme="https"
        secure="true"
        clientAuth="false"
        sslProtocol="TLS"
        keystoreFile="/absolute/path/to/keystore.jks"
        keystorePass="changeit"
        keyAlias="chageit"
        ciphers="TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_
        256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WIT
        H_AES_256_GCM_SHA384">
        ...
    </Connector>
  2. Add the list of cipher names each separated by comma.

  3. Edit the following parameters:

    • keystoreFile

      Enter the full path to the keystore file (private key and certificate).

    • keystorePass

      Enter the password for the keystore file.

    • keyAlias

      Alias name of the keystore entry. If this entry is missing, tomcat or the first entry in the keystore is used.

  4. Continue with step 4, refer to Configuring SSL Connections and Server Authentication

Activating Traces for HTTPS Connections

In order to obtain meaningful traces for HTTPS connections between INUBIT Workbench and INUBIT Process Engine, the start scripts of the two components can be adjusted.

Proceed as follows

  1. Close the INUBIT Workbench and stop the INUBIT Process Engine.

  2. Open the following start scripts:

    • INUBIT Workbench

      <inubit-installdir>/inubit/client/bin/start_local.[bat|sh]

    • INUBIT Process Engine

      <inubit-installdir>/inubit/server/process_engine/bin/setenv.sh

  3. Insert the following lines:

    • INUBIT Workbench:

      set JAVA_PARAMS=%JAVA_PARAMS% -Djavax.net.debug= ssl,handshake,data,trustmanager
    • INUBIT Process Engine:

      set JAVA_PARAMS=%JAVA_PARAMS% -Djavax.net.debug=ssl,handshake,data,trustmanager
  4. Restart the INUBIT Process Engine and the INUBIT Workbench.

Configuring a HTTP/HTTPS Proxy Server for INUBIT Workbench and/or INUBIT Process Engine

Proxy-Servers can be used for the HTTP(S) communication between

  • the INUBIT Workbench and the INUBIT Process Engine,

  • the INUBIT Process Engine and remote computers,

  • Remote Connectors and other remote computers.

External files (WSDLs, URLs etc.) don’t need to be reachable from the INUBIT Workbench because they are always loaded via the INUBIT Process Engine.

A proxy server can be used for aims like

  • Increasing security

    Computers on the local network should not have direct Internet access; a proxy server may be used as an interface between the two networks.

  • Bandwidth control

    The proxy server may allocate different resources to different user groups dependent upon utilization.

Configuring a Proxy Server between INUBIT Workbench and INUBIT Process Engine

Proceed as follows

  1. Stop the INUBIT Workbench.

  2. Open the start script <inubit-installdir>/inubit/client/bin/start_local.[bat|sh].

  3. Insert the lines matching to your protocol and adjust the values:

    • HTTP

      set JAVA_PARAMS=%JAVA_PARAMS% -Dhttp.proxyHost=Proxy_IP_or_URL
      set JAVA_PARAMS=%JAVA_PARAMS% -Dhttp.proxyPort=8080
      set JAVA_PARAMS=%JAVA_PARAMS% -Dhttp.proxyUserName=username
      set JAVA_PARAMS=%JAVA_PARAMS% -Dhttp.proxyPassword=password
      set JAVA_PARAMS=%JAVA_PARAMS% -Dhttp.nonProxyHosts=*.yourcompany.com
    • HTTPS

      set JAVA_PARAMS=%JAVA_PARAMS% -Dhttps.proxyHost=Proxy_IP_or_URL
      set JAVA_PARAMS=%JAVA_PARAMS% -Dhttps.proxyPort=8080
      set JAVA_PARAMS=%JAVA_PARAMS% -Dhttps.proxyUserName=username
      set JAVA_PARAMS=%JAVA_PARAMS% -Dhttps.proxyPassword=password
      set JAVA_PARAMS=%JAVA_PARAMS% -Dhttps.nonProxyHosts=*.yourcompany.com
  4. Restart the INUBIT Workbench.

Configuring Proxy Server between INUBIT Process Engine and Remote Computers

In some networks HTTP and HTTPS accesses are possible only via a proxy server. You configure this proxy server centrally at the INUBIT Process Engine.

Additionally, you can make exceptions, that means, define remote computers that are connected to directly and not via the proxy server.

Use a proxy server if there are errors when publishing and deploying Web Service Input Listeners Medium Connectors with external access to XML Schemas.

Proceed as follows

  1. In the INUBIT Workbench open the tab Administration > General Settings > Administration > Proxy configuration category.

  2. Check the Use proxy configuration option to activate the proxy settings to activate the following options. If you deactivate the Use proxy configuration after having configured proxy settings, your proxy configuration is preserved, but is not used anymore.

    The values in this configuration overwrite the values set in the start script. If you leave the value for Server blank and activate the Use proxy configuration option, no proxy is used. You find the start scripts under <inubit-installdir>/inubit/server/process_engine/bin/setenv.[bat|sh].

  3. Define your proxy settings. Click an option to display its explanation.

  4. Save your changes.

Changing HTTP/HTTPS Ports

If necessary, you may change the HTTP(S) port of your INUBIT Process Engine. The following port numbers are given by default for the INUBIT Process Engine:

  • HTTP: 8000

  • HTTPS: 8443

Proceed as follows

  1. Open the configuration file corresponding to your operating system:

    <inubit-installdir>/inubit/server/process_engine/conf/server.xml

  2. Change the ports.

  3. Save your changes.

  4. Restart the INUBIT Process Engine.

When having changed the port(s) in the server.xml file, you have to change the port number in the check_is_status.[sh|bat] file in the following directories, depending on your installation:

<inubit-installdir>/inubit/server/process_engine/bin <inubit-installdir>/inubit/client/bin

For this purpose, change the following line:

set START_URL=https://<server>:<port>

When using another protocol as HTTP and/or another hostname as localhost, you have to adjust these values as well.