Setup client certificate authentication in webMethods and test with SOAPUI

webMethods has three types of Client Authentication when Integration Server performing requests that arrive on its HTTPS port. One of them is Require Client Certificates, this means Integration Server requires client certificates for all requests.

By using a client certificate, you don’t need to provide user/pin to identify yourself when login to Integration Server.

What is a client certificate?

A client digital certificate or client certificate is basically a file, usually protected with a password and loaded into a client application (usually as PKCS12 files with the .p12 or .pfx extension).

Config Integration Server as an SSL Server

– Generate a public/private key pair using key store explorer. This certification will be used as server certification.

o Select key store type as JKS.

o Enter key pair alias. Use your server domain name as alias.
image002

o Enter key store password. This key store password is important when setup key store in webMethods.

image003.png

– Install the certificate in Integration Server

o Install the keystore via Security -> Keystore -> Create Keystore Alias on IS’s web frontend.
image004.png

o To verify the key store has been loaded.
image005.png

o Install the certificate via Security -> Certificates -> Edit Certificates Settings. Please notice we don’t have truststore setup at the moment and we will setup this up when we create client certificate.
image006.png

– Add an HTTPS Port in Integration Server:

o Add HTTPS port via Security -> Ports -> Add Port

o Select require client certificate as client authentication methods. Again here we will setup truststore alias later.
image008.png

o Test the HTTPS connection by navigating to https://localhost:5575 in IE.

The certificate error is ok, because we self-signed our certificate. Add the certificate to the list of trusted certificates and move on. If you use a “real” certificate later, the error will go away.
image009.png

Config SOPAUI as SSL client

– Similar to generate server certificate, generate a client certificate using key store explorer but choose PKCS #12 as store type

o Select key store type as PKCS #12.

o Enter key pair alias. Use your name and local pc name as alias.
image011.png

o Enter key store password. This key store password is important when setup key store in SOAPUI.
image012.png

– Export client certificate and include it in trust store. This is to enable webMethods integration server to accept a self-signed certificate.

o Right click on the key pair, select export -> export certificate chain. Select X.509 as export format.
image013.png

o Create java key store (.jks) to include the cert that generate in the previous step.
image014.png

– Config trust store in webMehtods.

o Create truststore via Security -> Keystore -> Create Truststore Alias on IS’s web frontend.
image015.png

o We should have both keystore and truststore setup in webMethods by now.
image023.jpg

o Install the truststore via Security -> Certificates -> Edit Certificates Settings. Select truststore as alias from the drop down list.
image018.png

o The final step to associate client certificate with a correspondence user in webMethods via Security -> Certificates -> Configure Client Certificates Settings.
image019.png

– Use client certificate in SOAPUI

o Select the client key store in SOAPUI preference -> SSL settings.
image024.jpg

o Test your client cert in SOAPUI! You will find the SSL information in the response.
image025.jpg

As I mentioned at the beginning, try to login to IS’s web frontend using HTTPS to see if you were asked for a user/pin!

Create date-time UTC string in SOAPUI using groovy

When test web services in SOAPUI, the web service security policy might require current date-time stamp to be passed in security token. This is a bit annoy when test the web service you have to change the date-time string manually. You can use properties scripting provided by SOAPUI to resolve this issue.

When you pass an invalid timestamp in the request, the response will like this
soapui.invalidtimestamp

 

 

Here is the article to use properties in SOAPUI.
https://www.soapui.org/scripting—properties/property-expansion.html

There are two common cases of inserting dynamic date-time value in SOAPUI using groovy:
1. Insert formatted timestamp value. Use SimpleDateFormat in this case:
${=new java.text.SimpleDateFormat(“yyyy-MM-dd’T’HH:mm:ss”).format(new Date())}
2. Format timestamp as xsd:dateTime value. Use DatatypeFactory to create instance of newXMLGregorianCalendar:
${=javax.xml.datatype.DatatypeFactory.newInstance().newXMLGregorianCalendar(GregorianCalendar.getInstance())}

Then you can convert the date-time value into UTC format:
1. Insert formatted timestamp value. Use SimpleDateFormat in this case:
${=new java.text.SimpleDateFormat(“yyyy-MM-dd’T’HH:mm:ss.SSS’Z'”).format(new Date(System.currentTimeMillis()+5*60*1000))}
2. Format timestamp as xsd:dateTime value. Use DatatypeFactory to create instance of newXMLGregorianCalendar:
${=javax.xml.datatype.DatatypeFactory.newInstance().newXMLGregorianCalendar(GregorianCalendar.getInstance(TimeZone.getTimeZone(“UTC”)))}

Below is how it should look like in SOAPUI.soapui.properties

 

 

The last step is to include these properties in your web service request.soapui.request

 

 

 

This is useful when creating automation test suite.

Connect webMethods to WebSphere MQ as JMS provider

Copy the following files from MQ installation directory to WM integration server directory (IntegrationServer\lib\jars):

WebSphereMQ\java\lib\com.ibm.mq.commonservices.jar
WebSphereMQ\java\lib\com.ibm.mq.headers.jar
WebSphereMQ\java\lib\com.ibm.mq.jar
WebSphereMQ\java\lib\com.ibm.mq.jmqi.jar
WebSphereMQ\java\lib\com.ibm.mq.pcf.jar
WebSphereMQ\java\lib\com.ibm.mqjms.jar
WebSphereMQ\java\lib\dhbcore.jar
WebSphereMQ\java\lib\mqcontext.jar

mqcontext.jar can be found in github.com while other jars provided by IBM by default installation.
https://github.com/khaliqgaffar/jboss_esb_eval_proj/blob/master/AuditMonitor/esbcontent/lib/mqcontext.jar

Restart webMethods integration server.

Setup new TCPIP listener in MQ and start it.
MQ.Add Listener

Add JNDI service provider in MQ as JMS administered objects MQ
Provider URL: servername:port/SYSTEM.DEF.SVRCONN (port is the one created in step 3)
Initial Context Factory: com.ibm.mq.jsm.context.WMQInitialContextFactory
Required Libraries: mqcontext.jar
Connect this context factory.
mq-add-jndi.jpg

Add MQ Connection Factory.
Make sure you select “Connection Factory” as type to view both Queue and Topic.
MQ.Add Factory

Add JNDI service provider in webMethods.
Under IS Admin – Setting — Messaging – JNDI Settings – Create JNDI Provider Alias.
mq-add-jndi-provider.jpg
Test JNDI Provider:
MQ.Test JNDI Provider

Add JMS Connection Alias in webMethods.
Under IS Admin – Setting — Messaging – JMS Settings – Create JMS Connection Alias.
JNDI Provider Alias: MQProvider (JNDI created in step 6)
Connection Factory Lookup Name: DEFAULT (Connection factory created in step 5)
MQ.Add JMS Connection
Enable the JMS connection.

Send JMS message from webMethods to MQ use service pub.jms:send
MQ.JMS send

Retrieve JMS message from MQ use JMS trigger
MQ.JMS trigger