Monday, 9 February 2015

BW SSL Security

BW SSL Security Related Topic
========================================================================

- TIBCO ActiveMatrix BusinessWorks can use Secure Sockets Layer (SSL)
 to provide secure communication. The successor to SSL is Transport Layer Security (TLS), but the term is used synonymously with TLS in this document.

- Secure Sockets Layer (SSL)
is a protocol that uses public and private keys to secure communication between parties.

- When an SSL connection is requested,
the initiator (or client) and responder (or server) perform a handshake where digital identities or certificates are exchanged to ensure that both parties are who each party expects.

- SSL can also be used to specify an encryption algorithm for the data that is exchanged between the parties.
========================================================================

- Introduction of TIBCO BW Security
TIBCO ActiveMatrix BusinessWorks can act as an initiator or a responder in an SSL connection. Several types of connections can optionally use SSL, such as,
FTP Connection
HTTP Connection
JMS Connection
Rendezvous Transport
In addition, the following activities can also specify SSL connections
ActiveEnterprise Adapter activities using JMS or RV transports
Send HTTP Request
SOAP Request Reply

- TIBCO ActiveMatrix BusinessWorks uses digital certificates
to validate the identity of parties in an SSL connection. TIBCO ActiveMatrix BusinessWorks requires that both initiators (clients) and responders (servers) must present certificates during SSL handshake. Typically, only the server is required to present its certificate to the client for verification, but TIBCO ActiveMatrix BusinessWorks enforces a bi-lateral model where both client and server must present certificates.
=====================================================================




Different ways in TIBCO for identifying the identity in SSL:

 1> TIBCO ActiveMatrix BusinessWorks uses the Identity resource 
to configure the identity of activities that act as initiators (clients) or responders (servers) in an SSL connection. The Identity resource stores the certificate of the activity (initiator or responder) and the location of the folder in the project that contains the trusted certificates of other parties that can participate in an SSL connection.

2> Identity resources contain information that is used to authorize a connection.
The responder (or server) in an SSL connection request must have an identity, but the initiator (client) must also have an identity. The identity resource can be used to store one of the following types of identitites

3> Username/Password. 
Used to store a username and password. Useful when basic client authentication is needed. Typically not used within TIBCO ActiveMatrix BusinessWorks.

4> Certificate/Private Key.
Used when public key and the certificate are stored in two separate files. Typically certificates are stored in Privacy-enhanced Electronic Mail (PEM) format. The URL for the certificate and key must be provided, as well as the password for the key. This identity can be used when acting as initiator or responder in an SSL connection.

5> Identity File.
Used when the certificate includes the public key information in the certificate file. The URL and file type of the certificate must be provided as well as the password for the key. The certificate can be on of the following formats
Entrust.
JCEKS. Java Cryptography Extension key Store file format
JKS. Java Key Store file format.
PEM. Privacy-enhanced Electronic Mail file format.
PKCS12. Public Key Cryptography Standard (12) file format.

6> Trusted certificates
are typically issued by a trusted third party, such as a certificate authority. There are several commercial certificate authorities, such as Entrust or VeriSign.
========================================================================

- Both clients and servers can also store a list of trusted certificates.
When a connection is requested, each party presents their certificate and that certificate is checked against the list of trusted certificates. If the certificate is not found, the connection is refused. Checking trusted certificates allows clients to ensure that they are connecting to the correct server. For servers, trusted certificates are used to ensure only the authorized clients can connect to the server.

- Checking a certificate involves
checking the certificate of the party that signed the certificate.
There can be a hierarchy of intermediate certificates, also known as a certificate chain, that must be checked up to the root certificate to ensure that a certificate is authentic.
TIBCO ActiveMatrix BusinessWorks requires that all intermediate certificates are stored in the trusted certificate location so that certificates can be properly verified.
========================================================================

- Adding Certificates to a project. To add a certificate in PEM format to a project
1. Select a folder into which the certificate will be imported
2. From the menu bar, choose Tools > Trusted Certificates > Import into PEM Format.
3. Provide the certificate URL when prompted.
Certificates in PKCS7 and PEM formats (these formats do not store keys). A new certificate copy is created when the import is done. If the certificate to be imported is already in PEM format, a new copy is created as is. Certificates from storage formats that require a password cannot be imported (PKCS12 and KeyStore)
========================================================================

- Storing trusted certificates outside the project. (Avoids re-create EAR file and re-deploy)
1. Create a folder in the file system, where the trusted certificate will be stored. Copy this folder to each machine where the process engine will be deployed, or the location can be shared network area accessible by all process engines.

2. In the TIBCO ActiveMatrix BusinessWorks, create a global variable named BW_GLOBAL_TRUSTED_CA_STORE

3. Set BW_GLOBAL_TRUSTED_CA_STORE to the location of the trusted certificates folder on the file system. The location can either be the same for all deployed engines, or the global variable value can be changed when the project is deployed to the location on the machine where the trusted certificates is placed. The value for BW_GLOBAL_TRUSTED_CA_STORE must be a file URL (file:///c:/tibco/certs)

4. Specify a value in the Trusted Certificates field in the SSL Configuration dialog. When the project runs, the value of BW_GLOBAL_TRUSTED_CA_STORE overrides the value specified with the location provided.
========================================================================

- For connections that allow to use SSL,
there is a checkbox on the configuration that, when checked, allows to click the Configure SSL button which brings up an SSL configuration dialog with specific options for the type of activity or connection that is being configured. Potential configuration fields
FTP Connection. Used to specify FTP server. TIBCO BW acts as an initiator

-Trusted Certificates folder.
Folder in the project containing one or more trusted certificates. This folder is checked when an FTP activity connects to ensure that the responder’s certificate is from a trusted authority. This prevents connections to rogue servers.

- Identity.
Identity resource that contains the client digital certificate and a private key.Optional

- Verify Host Name.
Specifies to check that the host name of the FTP server against the host name listed in the server’s digital certificate. If it does not match, the connection is refused. If a hostname equivalent is specified in the Host field, but it does not match the host name, connection is refused.

- Strong Cipher Suites Only.
When checked, this field specifies that the minimum strength of the cipher suites used can be specified with the bw.plugin.security.strongcipher.minstrength custom engine property. Default value of the property disables cipher suites with an effective key length below 128 bits. When this field is unchecked, only cipher suites with an effective key length of up to 128 bits can be used.
========================================================================

HTTP Connection
- Requires Client Authentication.
Checking this field requires initiators to present their digital certificate before connecting to the HTTP server. When this field is checked , the Trusted Certificates folder becomes enabled so that a location containing the list of trusted certificates can be specified.

- Identity.
Identity resource that contains the client digital certificate and a private key.Optional

- Verify Host Name.
Specifies to check that the host name of the HTTP server against the host name listed in the server’s digital certificate. If it does not match, the connection is refused. If a hostname equivalent is specified in the Host field, but it does not match the host name, connection is refused.

- Strong Cipher Suites Only.
When checked, this field specifies that the minimum strength of the cipher suites used can be specified with the bw.plugin.security.strongcipher.minstrength custom engine property. Default value of the property disables cipher suites with an effective key length below 128 bits. When this field is unchecked, only cipher suites with an effective key length of up to 128 bits can be used.
========================================================================



Posted by at
Labels:

1 comment:

  1. jnrmanagement30 January 2017 at 05:05

    Cyber security is one of the most important measures that we should consider. Thanks for the great piece of content for ssl certificates. The info is great.

    ReplyDelete

Subscribe to: Post Comments (Atom)