To create the certificate you can use tool called ‘keytool’ which is shipped with jdk/jre.
It is a command line utility.
The command is
keytool -genkey -alias server-alias -keyalg RSA -keypass yourpassword -storepass yourpassword -keystore keystore.jks
short summary:
-alias is used to give a name to your key. should be unique for its purpose.
-keyalg is encryption algorithm type.
-keypass password affiliated to key
-storepass passpoerd affiliated to keystore.jks
keystore.jks is name of the file which acts as repository keys.
After typing in this command, you will be asked questions, answer accordingly.
At the end your key called server-alias will be stored in repo keystore.jks.
This entry in keystore.jks will have public as well as private key.
You now need to publish the public key to the world.
use following command to extract public key from entry which you have created earlier.
keytool -export -alias server-alias -storepass yourpassword -file server.cer -keystore keystore.jks
The public key aka certificate will be stored in file named server.cer.
You can give this file to anyone who wants to connect to your server.
1.2 Install key at server side.
1.2.1 Identity
You have your public/private key pair with you.
Create an Identity in your BW project.
Choose type Identity file. Provide URL as path_to your_keystore.jks.
The path “file://X:…” is not valid. You need to add an extra / to make it “file:///X:..”.
Give the filetype ‘JKS’ and password.
Save the identity.
1.2.2 HTTP Connection.
Create an HTTP Connection and use SSL.
Configure SSL with the identity you have created in 1.2.1.
This step does not include instructions to enable client authentication.
This is enough for server side.
Step 2: Importing the certificate and installing it at client side.
2.1 Import the key
Get the server.cer from the server authority which is publicly available.
Import the public key into you trust store.
Trust store is a repository of all trusted certificates at client side.
Use command
keytool -import -v -trustcacerts -alias server-alias -file server.cer -keystore cacerts.jks -keypass yourkeypass -storepass yourstorepass
Here all the values .. ie
-alias, -keypass, -storepass are local.
You need not have to worry about which values did the server authority used while creating the key pair.
As this command succeeds, you will have public key imported in the local keystore cacerts.jks.
2.2 Install in tibco BW
2.2.1 Identity
Create an identity ie client identity using file cacerts.jks.
2.2.2 Certificate in PEM format
In the BW project import the public certificate using command
Tools>Trusted Certificates>Import into PEM format.
It is advisable to keep this certificate in a separate folder to skip unnecessary processing.
Create ‘HTTP send Request’ and use SSL.
In configuration, provide client identity 2.2.1 and folder name where you saved the certificate in PEM format 2.2.2.
Hope this helps
Refer this link for more details on keytool.
Keytool Tutorial
OpenSSL
In addition to using ‘keytool’, We can use openssl commands.
The openssl program is available for both windows and linux platforms.
To create identities using openssl you can refer commands below.
Create private key and certificate signing request attached to that private key.
openssl req -new -newkey rsa:des3:1024 -keyout (hostkey).pem -out (hostcsr).pem
this will create private key called (hostkey).pem and its corresponding certificate request (hostcsr).pem
to export the private key to pkcs8 format, the following command will do.
openssl pkcs8 -topk8 -inform PER -outform DER -in (private.key) -out (private).p8
To create certificate chain you need to get (hostcsr).pem signed from some certification authority.
Here we will create our own certification authority and get (hostcsr).pem signed from it.
To get an idea how to create your own ca please refer steps at the end of this document.
Assume that we have created our own certification authority.
Following command will sign (hostcsr).pem with ca certificate.
openssl ca -in (hostcsr).pem -out (host_signed.x509).pem
There are various formats available for pubication of certificates.
PKCS#12, PKCS#7 are some of them.
PKCS#12 contains information about certificate chains as well as private keys.
PKCS#7 contains information only about public certificate chains.
To convert (host_signed.x509).pem to PKCS#12 format, following command will do.
openssl pkcs12 -export -in (host_signed.x509).pem -inkey (privkey).pem -out cred.p12
To convert (host_signed.x509).pem to PKCS#7 format, following command will do.
openssl crl2pkcs7 -nocrl -certfile (host_signed.x509).pem -out (host_signed.x509).p7b
Entities obtained using above commands can be used in installing client and server ssl.
My own certification authority
details of ca are in file /usr/lib/ssl/openssl.cnf
Assume that we want to setup our own ca in directory /home/me/workspace/myca.
create this directory structure.
go to myca – cd /home/me/workspace/myca
create following files and directories in myca
mkdir newcerts
mkdir private (CA private key resides here)
echo 00 > serial (this file keeps sequence number of certificates signed by your CA, the number is incremented every time your CA signs a new certificate)
cat > demoCA/index.txt (database of sign activities, contains information about previously signed certificates by your CA)
create a self signed private key and certificate.
openssl req -x509 -days 999 -newkey rsa:des3:1024 -keyout private/cakey.pem -out cacart.pem
Use this ca to sign other certificates.
Every time you want to sign a new certificate you need to come to this directory and issue ca command.
openssl ca -in (path to hostcsr.pem) -out (path to host_signed.x509.pem)
For training on TIBCO BusinessWorks mail us at [email protected]