HTTPS and Security Certificates
Introduction
It is possible to access secure web services via HTTPS from within a BPEL Process created with and/or running in ActiveBPEL Server. A preparation step is required first, however, to identify the security certificate in question as a trusted certificate. This is done slightly differently, depending upon whether you're working in ActiveBPEL Designer or the ActiveBPEL Server BPEL Engine.
Typically, when perusing the WWWeb via browser, it is not uncommon
to access URLs that begin with the secure 'https' protocol. This
protocol utilizes SSL (secure socket layer) to encrypt the data passed
between the browser and the HTTP server. Most browsers have a feature
where the user is prompted to indicate whether or not a given
certificate is trusted. When a server's public certificate
is trusted, it is imported into a list of trusted certificates managed
by the browser.
ActiveBPEL Server does not import public certificates automatically, like a
browser. Instead, the certificate must be imported by the user.
There are two different procedures for this. In both cases, you will
need a copy of the public security certificate you wish to add to the
list of trusted certificates. You will also need to know the location
of your Java Runtime Environment files (typically indicated by the
JAVA_HOME environment variable) as well as the location of the JRE
being used to run the BPEL Engine or ActiveBPEL Designer, as indicated below.
PDD Considerations and Importing a Security Certificate for Run-Time Use
In order to enable connections between BPEL Processes running in the ActiveBPEL Server Engine and external web services that are published using the HTTPS protocol, you'll need to ensure that the PDD uses the appropriate syntax. This involves simply ensuring that the wsa:Address specification for the wsa:EndpointReference of any partnerRole uses the appropriate protocol designator (e.g., "https"). For example, if the Google Search service were running on a secure server, you'd use something like the following:
<partnerLinks><partnerLink name="googlePL">
<partnerRole endpointReference="static">
<wsa:EndpointReference xmlns:s="urn:GoogleSearch">
<wsa:Address>https://api.google.com/search/beta2</wsa:Address>
<wsa:ServiceName PortName="GoogleSearchPort">
s:GoogleSearchService
</wsa:ServiceName>
</wsa:EndpointReference>
</partnerRole>
</partnerLink>
. . .
</partnerLinks>
In addition to the PDD considerations, you'll also need to import the associated server's public security certificate into ActiveBPEL's list of trusted certificates. This is done as the following command line example shows. This example assumes that the Java Runtime is located at C:\jdk1.5.0_04\jre\bin\. From a command window opened in this directory, execute:
keytool -import -keystore "C:\jdk1.5.0_04\jre\lib\security\cacerts" -alias <your-alias-goes-here> -file <your-server-cert-file-name-goes-here>
If, for instance, your application server is running with a JVM from C:\jre1.5.0_04\bin\, then the command line would be changed to:
keytool -import -keystore "C:\jre1.5.0_04\lib\security\cacerts" -alias <your-alias-goes-here> -file <your-server-cert-file-name-goes-here>Restart the BPEL Engine for the changes to take effect.
Importing a Security Certificate for Design-Time Use
Some WSDL definitions are published on a secure application server. In order to import such WSDL definitions into ActiveBPEL Designer as a Web Reference, it may be necessary to connect to an application server using HTTPS. If so, it'll be necessary to import that server's public security certificate into the keystore for the JVM being used to run Designer. This is done as the following command line example shows. This command should be executed in a command window opened in the JRE's bin directory (e.g., C:\Program Files\Active Endpoints\ActiveBPEL Designer\Designer\eclipse\jre\bin).
keytool -import -keystore "C:\Program Files\Active Endpoints\ActiveBPEL Designer\Designer\eclipse\jre\lib\security\cacerts" -alias <your-alias-goes-here> -file <your-server-cert-file-name-goes-here>
Restart Designer for the changes to take effect.
Additional Information
The default password for the keystore is "changeit" (no quotes).
For more information on the keytool command, execute "keytool -help" at the command line or go to http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/keytool.html.
Copyright © 2004–2007 Active Endpoints, Inc.