Posted: 13 Oct 2016 2:27 EDT Last activity: 24 Oct 2016 7:06 EDT
Implement 2-Way SSL for Rest integration.
One of our client wish to implement 2-way SSL for rest integration. PRPC (V 7.1.6 and Apache tomcat V 7.0.42) acts as client and external system acts as service provider.
Based on my understanding,
Client trust store should contain service provider digital certificate and client should give its certificate to service provider.
Q1) How to get the digital certificate of the service provider?
Q2) How to install the obtained digital certificate to application server and trust store?
Q3) where can we locate the digital certificate of PEGA that should be supplied to the service provider?
Q4) since connect-rest rule form (V7.1.6) doesn’t provide options for trust store and keystore, is it possible to implement 2-Way SSL? If so, what are the configuration changes required in PEGA and in Application server?
Hi, I can try to answer some of these questions, but I suggest that you read some tomcat and java documentation on being a 2-way SSL client, as there are many facets to configuring this correctly.
The certificate of the service provider is likely signed by a 3rd party Certificate Authority. It would be best to find out what that certificate authority is, and obtain their certificate rather than the service provider's certificate. For example, the certificate for https://www.google.com is declared trustworthy by GeoTrust Global CA, so having the GeoTrust Global CA certificate in the trust store is sufficient. Most versions of java come with a default 'cacerts' trust store, which is pre-loaded with certificates for popular 3rd party Certificate Authorities, so you may not have to do anything to the trust store.
The easiest way to add a trusted CA certificate is to just add it to the java trust store. This is likely the 'cacerts' trust store at your java install location.
In general, the client certificate needs to be generated by or created in collaboration with the service provider. I cannot offer any specific instructions on how to do that as it varies by service provider.
Two-way SSL should work despite the lack of keystore/truststore fields, as long as you have correctly set up java and tomcat to be a 2-way SSL client to the service. Pega will leverage the java settings when attempting the SSL handshake.