Can I design a webservice for HTTPS...

Amit K Gupta 26 posts since 25 Apr, 2009 Can I design a webservice for HTTPS with username/password authentication 25 Apr, 2009 6:14 PM

Hi Guys,

A have recently started working on a webservice hence I have successfully configured and tested my configured serviceagent for HTTP, but I have to make it HTTPS using username/ password authentication and not to use digital signature. so is it possible to create HTTPS service simply using usename/password authentication without using digital signatute, If yes, How can I configure it in the tibco designer. Please suggest.

Your response will be highly appreciated.

Thanks, Amit

Carlo Milono 1,039 posts since 29 Apr, 2008 Re: Can I design a webservice for HTTPS with username/password authentication 26 Apr, 2009 1:28 AM

HTTP/HTTPS are transports - that said, you also mention a Web Service, so I need to know if you want username/password as RFC 2617 Basic Authentication or if you want username/ password as part of the OASIS Web Services Security. TIBCO can do either/both. For HTTP Basic Authentication, you enable it with a checkbox in the SOAP configuration, while for OASIS WSSE Username Token Profile, this is done through the Policy and Policy Association configurations.

You can (but why?) combine them.

Generated by Jive SBS on 2013-08-05-04:00 1

Can I design a webservice for HTTPS...

HTHs

Amit K Gupta 26 posts since 25 Apr, 2009 Re: Can I design a webservice for HTTPS with username/password authentication 26 Apr, 2009 9:35 AM in response to Carlo Milono

Hi Carlo,

Thanks for your reply. As far as your answer is concerned, Yes I want username/password as part of the OASIS Web Services Security hence I can use security policy with username token, but how can I make my transport HTTPS rather simply HTTP by using the same.

If I say more crearly, There is a requirement to make webservice with HTTPS transport in which I have to use only username/password authentication.

Thanks, Amit

Carlo Milono 1,039 posts since 29 Apr, 2008 Re: Can I design a webservice for HTTPS with username/password authentication 26 Apr, 2009 12:59 PM in response to Amit K Gupta

To create a service (either SOAP Event Source or Service activity), before you bind the transport to the service, create an HTTP Connection Shared Resource where you choose your port and then configure the SSL parameters by enabling the "Use SSL" checkbox and clicking on the Configure SSL button.

The SSL configuration window will have a "Requires Client Authentication" checkbox - this means that your service will require that the Client sends a certificate (not needed for SSL), and if you enable this option, the "Trusted Certificates Folder" textbox becomes enabled and you must enter a folder that will contain the CAs that you will trust for Client communications. The other textbox is mandatory - a server must always present a certificate, so you configure an Identity with a PKCS#12 Certificate or a PEM + PKCS#8 Key or a JKS/JCEKS

Generated by Jive SBS on 2013-08-05-04:00 2

Can I design a webservice for HTTPS...

with a single cert in it and browse to that Identity in the "Identity" textbox. Lastly, there is a Strong Cipher Suite Only checkbox to ensure a high grade of cipher. At the engine level, you can also mask off ciphers (DISABLE_CIPHERS_BELOW_256BIT, for example).

As for the Client - a SOAP Request Reply will be configured with a Concrete WSDL which should indicate that HTTPS is to be used. If https is part of the URI, then look in the Transport Details Tab and you should see a "Configure SSL" button - as a Client, the options are different: 1) As you will be receiving a certificate from the Server, a Trusted Certificates folder is required. 2) You may provide an Identity if "Client Authentication" was required at the service (not a policy visible in the WSDL). 3) Verify Host Name - a FQDN of the URI or (more precisely) the CN of the Server Cert. 4) Strong Cipher Suites Only.

Amit K Gupta 26 posts since 25 Apr, 2009 Re: Can I design a webservice for HTTPS with username/password authentication 26 Apr, 2009 3:35 PM in response to Carlo Milono

Hi Carlo,

Thanks for providing me the complete description for configuring SSL option on designer. But my requiremrnt is different, as I asked you earlier that I have to use only username pasowrd authentication rather security certificate. I understand the basic authentication concept on HTTP. But I have to use HTTPS, so I would be required to enable SSL, and after doing so an identity will be required containing username and pasword info. Whent I try to select this identy, It was not shown on the browse window. Therefore I think there must be other option to enable SSL with simply UN/PWD authentication.

Could you please check it first, whether is it possible to configure the same in the designer because In does not recommend t use un/pwd authentication for SSL as I have read in the bw doc.

Generated by Jive SBS on 2013-08-05-04:00 3

Can I design a webservice for HTTPS...

I need your suggestion accordingly.

Thanks, Amit

Carlo Milono 1,039 posts since 29 Apr, 2008 Re: Can I design a webservice for HTTPS with username/password authentication 26 Apr, 2009 5:21 PM in response to Amit K Gupta

Drag & Drop an "Identity" configuration (in General Palette) and you can choose Username/ Password as the type. This is used for both HTTP Basic Authentication and for OASIS Username Token Authentication.

You then pick a Policy (or two) for inbound and/or outbound (Policy Palette) and pick a Policy Association to assign a policy to discrete operations. The policy may be any of Authentication (username/password or X.509), Integrity (username/password or X.509) or Confidentiality (X.509 only), plus you can set a timeout value. To focus on your main requirement, Authentication with Username/Password has a choice of Text (password is in clear text) or Digest (a semi-complex algorithm of a concatenation of Timestamp, Nonce, and Password in a Base64(SHA(TNP)) arrangement.

I've attached a document I wrote on "Understanding WSS". TIBCO BusinessWorks currently supports OASIS X.509 Token Profile 1.0 and OASIS Username Token Profile 1.0 plus parts of Username Token Profile 1.1.

If you need to dynamically map username/password, you will have to bypass the Policy configuration (which is statically linked to the "Identity") and manually edit the SOAP Headers - I can give instructions on that if need be, but I believe it has been discussed in earlier threads.

EDIT: I replaced the doc I uploaded with one that has better screen shot resolution. Also, this is an old doc and doesn't cover the Service Palette, though the fundamental concepts still apply.

Generated by Jive SBS on 2013-08-05-04:00 4

Can I design a webservice for HTTPS...

Attachments: Understanding WSS-2009.doc (1.8 MB)

Carlo Milono 1,039 posts since 29 Apr, 2008 Re: Can I design a webservice for HTTPS with username/password authentication 26 Apr, 2009 8:18 PM in response to Amit K Gupta

An example for BW is found here: C:\tibco\bw\5.7\examples\activities\soap\soap_over_http_username_password_sign_X 509_encrypt

This URI is for BW 5.7, but you can find a similar/exact one for 5.3.X, 5.4.X, and 5.6.X. This example covers Username Password authentication with additions for signing (integrity) and encryption (confidentiality).

Generated by Jive SBS on 2013-08-05-04:00 5