Skip to Content

My goal in this blog is to show how to setup message signature and validation between HCI and PI systems. Right now i will show only the „Sign” and „Validate” parts from WSS.  The basic message flow in the scenario is the following:

SOAPUI -> HCI -> AEX (SID: P74) -> WebService

The WSS in my example will be used only between the HCI and AEX systems.

HCI_4.PNG

Prerequisites:

The message flow in HCI and in AEX is a simple SOAP – to – SOAP scenario. This needs to be setup, and in this blog i am not dealing with these configuration steps. Also in the below steps i am dealing with self signed certificates, which can be ok for testing purpose, but in a real productive scenario use certificates which are signed by the CA you trust.


Configuration steps:

  1. ) Download the system.jks keystore from the HCI tenant, and create a new alias there named like „sign”. (To edit the keystore entries i used the KeyStore Explorer program.) Into this alias create a new keypair. The HCI flow will use the private key from this keystore alias to sign the message.
  2. ) Create a second alias in this keystore and import the AEX system’s public certificate. This will be needed to validate the reply message from AEX system. In AEX just to make the example more simple we will use the AEX system’s private key (from the corresponding ICM keystore view) for sign the reply message, therefore from this view the public certificate is needed for HCI to validate the reply message.

NWA_ICM_keystore_entry.jpg

So at the end your system.jks keystore should look like this:

/wp-content/uploads/2016/08/system_jks_1020531.jpg

The alias named „sign” is for signing the message by HCI, and the other alias is a Trusted Certificate entry – this is the public certificate of the AEX system.

3.) Deploy the new system.jks keystore into the HCI tenant.

4.) Create a new keystore in NWA of the AEX system and import the public certificate which will be used to validate the request message coming from the HCI flow:

/wp-content/uploads/2016/08/point_4_1020532.png

Here you will need to import the public certificate from the point 1. With KeyStore Explorer you can easily export the public certificate from the „sign” alias, and use it in the NWA keystore of the AEX system.

/wp-content/uploads/2016/08/point_4_2_png_1020533.jpg

5.) In the receiver SOAP channel of the HCI’s IFlow set the following setting on the „WS-Security” TAB:

/wp-content/uploads/2016/08/point_5_1020534.png

6.) In the AEX system in the SOAP sender channel select the security profile:

/wp-content/uploads/2016/08/point_6_1020535.png

7.) And in the ICO specify the validation for the incoming request message. You will need to refer to the public certificate from point 4:

/wp-content/uploads/2016/08/point_7_1020536.png

8.) The response message from AEX to HCI will be signed by the AEX system’s private key :

/wp-content/uploads/2016/08/point_8_1020537.png

So select the option „Sign” from the Security Procedure (Response), and fill the Keystore View and Keystore Entry fields. As i mentioned just to make the case simple i used the private key from the ICM keystore view of the AEX system.

9.) And run a test in SOAPUI tool and call the Endpoint of the HCI IFlow:

/wp-content/uploads/2016/08/point_9_1020538.png

10.) The messages are processed successfully both in HCI and in AEX, and in SOAPUI we got the correct response:

/wp-content/uploads/2016/08/point_10_1020539.png

To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply