How to install an SSL/TLS Certificate on Pega IAC Gateway (Web Mashup)
My customer wishes to embed Pega functionality in their company portal for their end-users to access. So we are using Pega Internet Application Gateway (IAC), 'prgateway' to implement a Gadget which can be embedded into the customer's webpage. So far so good. However, the customer wishes to use SSL, and their network architecture has an IBM application called "DataPower" situated between the server where prgateway is to run and the PRPC system. So the network architecture looks like this:
End-User's browser -> Customer's portal with Pega Gadget -> prgateway -> IBM DataPower -> Pega PRPC.
The prgateway is installed Ok, and we can connect to the IAC Console on it with a browser. So, we go to 'Host Configuration' and start configuring a host, providing the URL of the DataPower system (which will relay the connection on to PRPC). AT this point we run into trouble. When click "Test Connection" we get red lights and the error message "Since this is a secure connection, SSL certificates need to be added in Gateway TrustStore, click install SSL certificates".
And, next to the 'PRPC Host URL' textbox two new icons have appeared, 'View certificate chain' and 'Trust this site'. When click 'View certificate chain', the correct certificate information appears, showing Issued To and Issued By information. But, when click 'Trust this site' an error message appears "Could not retrieve following CA certificate(s) from the server, install them manually: 1. <the correct certificate info here>".
So the questions:
1. Has anyone else had problems installing SSL certificates in IAC Gateway Console?
2. I have installed 'OpenSSL' on my development system, connected to the DataPower URL and successfully downloaded the SSL certificate. Does anyone know how to go about manually installing this in the Pega IAC Gateway?
My copy of ‘prgateway.war’ (which is what the IAC Gateway deployment file is called) does not have any file or folder inside it called ‘prgateway.jks’. I also have the IAC gateway files ‘prgateway.war’ that came with Pega716, and Pega719 versions as well. None of those files have a ‘prgateway.jks’ file/folder inside the .war file either.
Please excuse my ignorance, but I have absolutely no experience whatever of manually installing SSL certificates, so please do not assume any prior knowledge on my part. If you could tell me where I can find this 'prgateway.jks' file, and what tools I need to open it and insert my certificate, I would be very grateful.
It is not a completely new installation, the customer is running Pega7.1.8, this is an enhancement to add a web mashup.
All the documentation I have read (and there is lots on the PDN) suggest we should use IAC gateway to manage the cookies and the session information.
So - I am not sure if trying to use the gadget without the gateway is a safe thing to do, a good idea - I simply do not know.
Would you mind sending the documentation to me as well? we are doing a new web mash up implementation for internet facing app and facing many challenges. If gateway is out of the configuration, one challenge is out of our way.Thanks.
Thanks David. I just tried it with an existing case and it looks very promising. My use case is just to expose a harness, let me play around with it a little bit and then I will get back here with additional questions.
As Kevin noted, the gateway is no longer required. Given that you have a datapower device, you can use it to handle host aliasing for avoiding cross domain issues as well as sticky sessions and cookies - even with Pega 7.1.8.
That is absolutely great. This solution is exactly what is needed. Kevin's documentation discusses configuration for several applications that can be used as reverse-proxy server, specifically Nginx, Microsoft IIS, F5 BigIP, Cisco, Amazon Cloudfront.
Unfortunately Kevin's document does not discuss configuration of IBM DataPower.
Do we have anywhere some sort of guide, or any information at all, about how to configure IBM DataPower to function as a reverse-proxy server for Pega Web mashup? Any help would be greatly appreciated.
Ok, thanks to everyone out there who has taken the time to read my question and particular thanks to those who have replied with helpful answers. I now have a functioning solution (well, it is not fully functional but at least the SSL bit works).
The keystore used by the IAC gateway is in the .war file in the directory /WEB-INF/lib, the file is called 'prgateway.jks', it is password protected and the password is "changeit".
The SSL Certificate for the URL that you need to communicate with, can be obtained using 'OpenSSL'. OpenSSL is a freeware command-line application, run it from a cmd prompt and use the command:
And quite a bit of output scrolls up the screen, and in among it we should have
-----BEGIN CERTIFICATE-----\r\n<a block of base64-encoded gibberish>\r\n-----END CERTIFICATE-----
Cut and paste all of this including the BEGIN- and END- into notepad or similar and save to disk with the extension ".cer". That is your certificate.
To add the certificate to the keystore, you need 'keytool', which is a utility that comes bundled with the Java JDK. Like OpenSSL it is a command-line utility. So: download and install the Java JDK on your laptop (make life easy for yourself and dont use a directory with a space char in the name). Open a cmd window, and add the jdk bin directory to your path: