Fuse ESB - Web Services Security Guide - Specifying Trusted CA Certificates for HTTPS

Specifying Trusted CA Certificates for HTTPS

CA certificate format

CA certificates must be provided in Java keystore format.

CA certificate deployment in the Fuse Services Framework configuration file

To deploy one or more trusted root CAs for the HTTPS transport, perform the following steps:

Assemble the collection of trusted CA certificates that you want to deploy. The trusted CA certificates can be obtained from public CAs or private CAs (for details of how to generate your own CA certificates, see Set Up Your Own CA). The trusted CA certificates can be in any format that is compatible with the Java keystore utility; for example, PEM format. All you need are the certificates themselves—the private keys and passwords are not required.
Given a CA certificate, cacert.pem, in PEM format, you can add the certificate to a JKS truststore (or create a new truststore) by entering the following command:
```
keytool -import -file cacert.pem -alias CAAlias -keystore truststore.jks -storepass StorePass 
```
Where CAAlias is a convenient tag that enables you to access this particular CA certificate using the keytool utility. The file, truststore.jks, is a keystore file containing CA certificates—if this file does not already exist, the keytool utility creates one. The StorePass password provides access to the keystore file, truststore.jks.
Repeat step 2 as necessary, to add all of the CA certificates to the truststore file, truststore.jks.

Edit the relevant XML configuration files to specify the location of the truststore file. You must include the sec:trustManagers element in the configuration of the relevant HTTPS ports.

For example, you can configure a client port as follows:

<!-- Client port configuration -->
<http:conduit id="{Namespace}PortName.http-conduit"> 
  <http:tlsClientParameters>
    ...
    <sec:trustManagers>
      <sec:keyStore type="JKS"
                    password="StorePass"
                    file="certs/truststore.jks"/>
    </sec:trustManagers>
    ...
  </http:tlsClientParameters>
</http:conduit>

Where the type attribute specifes that the truststore uses the JKS keystore implementation and StorePass is the password needed to access the truststore.jks keystore.

Configure a server port as follows:

<!-- Server port configuration -->
<http:destination id="{Namespace}PortName.http-destination"> 
  <http:tlsServerParameters>
    ...
    <sec:trustManagers>
      <sec:keyStore type="JKS"
                    password="StorePass"
                    file="certs/truststore.jks"/>
    </sec:trustManagers>
    ...
  </http:tlsServerParameters>
</http:destination>

	Warning
	The directory containing the truststores (for example, `X509Deploy``/truststores/`) should be a secure directory (that is, writable only by the administrator).

Comments powered by Disqus

Contents
Search