Question
CA
Last activity: 12 Jul 2017 5:36 EDT
Rule level keystore vs Server level
Hi
We ran into an issue with Connect-SOAP where when we supplied keystore at App server (Websphere), then connect soap works fine in 7.1.7. However, the same SOAP call doesn't work fine in 7.1.9 in another app.
We tried supplying Keystore at rule level i.e. in Connect SOAP rule, by enabling WS-Security and creating a security profile containing keystore. And it worked fine.
a) Can someone explain this inconsistency in behaviour from 7.1.7 - 7.1.9..?
b) And which one is the preferred option - Rule level or Server level KS..?
Thanks
***Updated by moderator: Marissa to add SR Details***
PEG
IN
I would like to get clarification on below queries.
the same SOAP call doesn't work fine in 7.1.9 in another app?
Are you using same application server for 7.1.9? If yes, keystore is present or not? Which application scope keystore is present like node,cell and cluster levels in WAS?
Regarding your 2nd question, rule level keystore would be applicable to that particular application only, whereas if you specify at application server level it should be applicable to other applications also.
Hope this helps!
CA
the same SOAP call doesn't work fine in 7.1.9 in another app?
- No it doesn't
Are you using same application server for 7.1.9? If yes, keystore is present or not? Which application scope keystore is present like node,cell and cluster levels in WAS?
- Same appserver. Keystore is at cell level.
Thanks
Pegasystems Inc.
US
Can you cofirm that in 7.1.9 you did not "enable WS Security" and instead just used the WS Security profile to set the keystore/truststore information?
To answer one of your questions: as you have seen, the best option in the Pega versions you are using is the Rule-Level settings.
CA
I have enabled WS Security and then supplied Security Profile.
Jeff - On a different note, say I have 60 connectors in my application, don't you think it's less maintainable solution if in future keystore or trustore changes..?
Pegasystems Inc.
US
Hi Nikhil,
On WebSphere, cell, node and server level trust store support was broken in 7.1.9 and remains so in 7.2.1. We are shipping a fix with 7.2.2.
We understand that trust stores are often managed by different teams and may change by environment (dev, test, prod, etc.). Thus, managing these within Pega rules causes some operational headaches.
Thanks,
Charlie
CA
Hi Charlie
Thanks a lot for clarifying this riddle.
Question : Is there any "one stop" alternative or workaround to store trustores/keystores for 7.1.9-7.2..? (I have 65 connectors in my application and it's a nightmare to change these in different envs.)
Thanks
Luxoft
IN
HI Charlie,
We are using Pega 7.2.1 and trying to connect with Connect -Soap with keystore and truststore defined WAS cluster level. But Pega is not able to pick up the keystore and truststore from WAS cluster level. Is this because of support broken in 7.2.1 ? Is there any fix to resolve the issue?
Regards
Hari
Pegasystems Inc.
Hi Hari,
Yes, Pega 721 supports websphere cell level Keystore and trustore. You need the HFix-34245.
Regards,
Diptiman
Updated: 12 Jul 2017 5:36 EDT
Pegasystems Inc.
IN
Hi Hari,
Refer the following article to get more information on obtaining the hotfix.
Raising Support Requests for Hotfixes now made easy!
Hope the information is helpful.
Thanks!