Tuesday 17 April 2012

Communication between MWS & ESB with certificates

Introduction

The following article guides you through setting up your MWS and IS instances to encrypt data/decrypt data 

MWS

Installing the IS certificate into the MWS truststore

  1. On your MWS server download a copy of InstallCert.java
  2. Open the file and change the line 72 to reflect your install path of MWS
  3. Compile the code javac InstallCert.java
  4. Run the code as follows:
    • java -cp . InstallCert <ISHostName:httpsPortNum> <glueTrustStore.jksPassword>
  5. This will try to download the certificate from the IS server and install it in the MWS truststore

Setup environment variables in your CAF application

Configure your CAF application to have the following environment entries:

String store = "<MWS_HOME>/server/<server_Instance>/config/glue/glueTrustStore.jks";
String sPass = passphrase_for_file_above;
String alias = alias_of_IS_key;

Write a method that takes in your data to be encrypted with the Certificate, plus the above parameters:

private static byte[] encryptData(String store, String sPass, String alias, String data) throws Exception {
    KeyStore ks = KeyStore.getInstance("JKS");
    FileInputStream fis = new FileInputStream(store);
    ks.load(fis, sPass.toCharArray());
    fis.close();
    java.security.cert.Certificate cert = ks.getCertificate(alias);
    PublicKey key = cert.getPublicKey();
    Cipher cipher = Cipher.getInstance(key.getAlgorithm());  
    cipher.init(Cipher.ENCRYPT_MODE, key);
    return cipher.doFinal(data.getBytes());
}

Bind the byte[] to the input provided by the ESB WSD.

ESB

Create a service that takes in a byte[] input from above and retrieves the privateKey of the IS as well as decryption of the payload (using the following flow service to get the privateKey):
pub.security.keystore:getKeyAndChain

Here is the Java code for the decryption service:

public static final void decryptData(IData pipeline) throws ServiceException {
    // pipeline
    IDataCursor pipelineCursor = pipeline.getCursor();
    PrivateKey privateKey = (PrivateKey) IDataUtil.get(pipelineCursor, "privateKey");
    byte[] encryptedData = (byte[]) IDataUtil.get(pipelineCursor, "encryptedData");
    pipelineCursor.destroy();

    Cipher cipher = null;
    String decryptedData = null;
    try {
        cipher = Cipher.getInstance(privateKey.getAlgorithm());
        cipher.init(Cipher.DECRYPT_MODE, privateKey);
        decryptedData = new String(cipher.doFinal(encryptedData));
    } catch (Exception e) {
        throw new ServiceException(e);
    }
    // pipeline
    IDataCursor pipelineCursor_1 = pipeline.getCursor();
    IDataUtil.put(pipelineCursor_1, "decryptedData",decryptedData);
    pipelineCursor_1.destroy();
}

For details on setting up the certificates on the IS, please refer to the Administration Guide.

No comments:

Post a Comment