Setup client certificate authentication in webMethods and test with SOAPUI

webMethods has three types of Client Authentication when Integration Server performing requests that arrive on its HTTPS port. One of them is Require Client Certificates, this means Integration Server requires client certificates for all requests.

By using a client certificate, you don’t need to provide user/pin to identify yourself when login to Integration Server.

What is a client certificate?

A client digital certificate or client certificate is basically a file, usually protected with a password and loaded into a client application (usually as PKCS12 files with the .p12 or .pfx extension).

Config Integration Server as an SSL Server

– Generate a public/private key pair using key store explorer. This certification will be used as server certification.

o Select key store type as JKS.

o Enter key pair alias. Use your server domain name as alias.
image002

o Enter key store password. This key store password is important when setup key store in webMethods.

image003.png

– Install the certificate in Integration Server

o Install the keystore via Security -> Keystore -> Create Keystore Alias on IS’s web frontend.
image004.png

o To verify the key store has been loaded.
image005.png

o Install the certificate via Security -> Certificates -> Edit Certificates Settings. Please notice we don’t have truststore setup at the moment and we will setup this up when we create client certificate.
image006.png

– Add an HTTPS Port in Integration Server:

o Add HTTPS port via Security -> Ports -> Add Port

o Select require client certificate as client authentication methods. Again here we will setup truststore alias later.
image008.png

o Test the HTTPS connection by navigating to https://localhost:5575 in IE.

The certificate error is ok, because we self-signed our certificate. Add the certificate to the list of trusted certificates and move on. If you use a “real” certificate later, the error will go away.
image009.png

Config SOPAUI as SSL client

– Similar to generate server certificate, generate a client certificate using key store explorer but choose PKCS #12 as store type

o Select key store type as PKCS #12.

o Enter key pair alias. Use your name and local pc name as alias.
image011.png

o Enter key store password. This key store password is important when setup key store in SOAPUI.
image012.png

– Export client certificate and include it in trust store. This is to enable webMethods integration server to accept a self-signed certificate.

o Right click on the key pair, select export -> export certificate chain. Select X.509 as export format.
image013.png

o Create java key store (.jks) to include the cert that generate in the previous step.
image014.png

– Config trust store in webMehtods.

o Create truststore via Security -> Keystore -> Create Truststore Alias on IS’s web frontend.
image015.png

o We should have both keystore and truststore setup in webMethods by now.
image023.jpg

o Install the truststore via Security -> Certificates -> Edit Certificates Settings. Select truststore as alias from the drop down list.
image018.png

o The final step to associate client certificate with a correspondence user in webMethods via Security -> Certificates -> Configure Client Certificates Settings.
image019.png

– Use client certificate in SOAPUI

o Select the client key store in SOAPUI preference -> SSL settings.
image024.jpg

o Test your client cert in SOAPUI! You will find the SSL information in the response.
image025.jpg

As I mentioned at the beginning, try to login to IS’s web frontend using HTTPS to see if you were asked for a user/pin!

Advertisements

3 thoughts on “Setup client certificate authentication in webMethods and test with SOAPUI

  1. Pingback: X.509 Authentication implemented as WS-Security policy | Advanced webMethods Developer

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s