Message Signature and Validation between HCI IFlow and On-Premise AEX system
My goal in this blog is to show how to setup message signature and validation between HCI and PI systems. Right now i will show only the „Sign” and „Validate” parts from WSS. The basic message flow in the scenario is the following:
SOAPUI -> HCI -> AEX (SID: P74) -> WebService
The WSS in my example will be used only between the HCI and AEX systems.
The message flow in HCI and in AEX is a simple SOAP – to – SOAP scenario. This needs to be setup, and in this blog i am not dealing with these configuration steps. Also in the below steps i am dealing with self signed certificates, which can be ok for testing purpose, but in a real productive scenario use certificates which are signed by the CA you trust.
- ) Download the system.jks keystore from the HCI tenant, and create a new alias there named like „sign”. (To edit the keystore entries i used the KeyStore Explorer program.) Into this alias create a new keypair. The HCI flow will use the private key from this keystore alias to sign the message.
- ) Create a second alias in this keystore and import the AEX system’s public certificate. This will be needed to validate the reply message from AEX system. In AEX just to make the example more simple we will use the AEX system’s private key (from the corresponding ICM keystore view) for sign the reply message, therefore from this view the public certificate is needed for HCI to validate the reply message.
So at the end your system.jks keystore should look like this:
The alias named „sign” is for signing the message by HCI, and the other alias is a Trusted Certificate entry – this is the public certificate of the AEX system.
3.) Deploy the new system.jks keystore into the HCI tenant.
4.) Create a new keystore in NWA of the AEX system and import the public certificate which will be used to validate the request message coming from the HCI flow:
Here you will need to import the public certificate from the point 1. With KeyStore Explorer you can easily export the public certificate from the „sign” alias, and use it in the NWA keystore of the AEX system.
5.) In the receiver SOAP channel of the HCI’s IFlow set the following setting on the „WS-Security” TAB:
6.) In the AEX system in the SOAP sender channel select the security profile:
7.) And in the ICO specify the validation for the incoming request message. You will need to refer to the public certificate from point 4:
8.) The response message from AEX to HCI will be signed by the AEX system’s private key :
So select the option „Sign” from the Security Procedure (Response), and fill the Keystore View and Keystore Entry fields. As i mentioned just to make the case simple i used the private key from the ICM keystore view of the AEX system.
9.) And run a test in SOAPUI tool and call the Endpoint of the HCI IFlow:
10.) The messages are processed successfully both in HCI and in AEX, and in SOAPUI we got the correct response: