Welcome Guest! Log in


Communication with Stambia DI Runtime can be secured through HTTPS by securing Runtime itself as explained in this article, or when accessing a Runtime through an HTTPS Proxy.

Communication with such Runtime is secured when connecting from Stambia DI Designer, Stambia DI Production Analytics, command line scripts, ...

This article demonstrates how to configure Stambia DI Designer and command line scripts to connect to HTTPS secured Runtimes.

Prerequisites:
  • Stambia DI Designer S19.0.21 or higher
  • Stambia DI Runtime S17.4.3 or higher

 

About certificates

Introduction

When trying to access to a Runtime through RMIS, there will be certificates involved for securing exchanges.

When securing the Runtime itself, or securing the RMIS Proxy used to access the Runtime, administrators are using certificates, which will be used to validate and secure exchanges.

All clients which will connect to the Runtime will have to know the public certificate to be able to communicate with it.

You'll therefore need to ask first your administrator for this public certificate before configuring your clients.

 

Keystore

In Java programs certificates are stored in files called 'keystores'.

Once you have retrieved the public certificate to be used, you have to create a keystore and add inside this certificate.

Clients will then be configured to use this keystore file, as explained in the next sections of this article.

 

Clients configuration

There are two mains solutions to configure clients to use the certificate and therefore be able to communicate with secured Runtime.

Importing the given certificate directly into your JVM, so that every application running with this JVM will benefit of it.

Or configuring directly the clients such as the Designer to import the certificate inside.

Both solutions are good and you can use one or another depending on your preference.

First one is global and avoid configuring each client with the certificate, as they will all benefit of it if they are using the same JVM.

Second solution is good if you want to avoid changing your JVM settings and simply configure the clients themselves.

 

Importing certificate into your JVM

First solution is to add the certificate in the Java machine (JVM) global truststore, so that any client application using this JVM will benefit of the certificate automatically.

Refer to Java documentation to find how to add certificates in default's JVM truststore.

When using this solution, you have to make sure the client you are using to communicate with the Runtime, such as Designer or command line scripts are using this JVM.

 

Importing certificates into clients

Second solution is to add the certificate into the clients themselves.

 

Stambia DI Designer configuration

Importing certificate in Designer

For the Designer to know your certificate, you'll have to create a keystore and import your certificate inside

The idea is then to configure Stambia DI Designer to use the keystore containing the given certificate.

After having create your keystore, you can configure it in Designer.

Lead to Designer's installation folder, and open "stambia.ini" or "stambia32.ini" file depending on the launcher you are using.

Then add the following options at the end of the file:

-Djavax.net.ssl.trustStore=<keystore file path> 
-Djavax.net.ssl.trustStoreType=<keystore_type>
-Djavax.net.ssl.trustStorePassword=<keystore and key password>

 

Example:

-Djavax.net.ssl.trustStore=D:/certificates/mykeystore.jks
-Djavax.net.ssl.trustStoreType=jks
-Djavax.net.ssl.trustStorePassword=keystorepass

 

Note that if you defined a password for protecting the certificate key when adding it in the keystore, this must be the same as the password of the keystore itself.

 

Ignoring certification checks

An alternative option for debugging or convenient purposes is to disable certificate checks for HTTPS Runtime communications.

This will allow to avoid having certificates errors if you want to connect to an HTTPS secured Runtime and you have not created and configured your keystore.

Communication will still be secured, this is only for the checks performed by Java to find if the certificate used for communicating is known.

For ignoring this check, lead to Designer's installation folder, and open "stambia.ini" or "stambia32.ini" file depending on the launcher you are using.

Then add the following options at the end of the file:

-Dcom.stambia.runtime.https.ignoreCertCheck=true
-Dcom.stambia.runtime.https.ignoreCertCheckProtocol=SSL

 

Command line script configuration

Importing certificate in command line scripts

If you want to use startcommand.bat / startcommand.sh scripts to connect to an HTTPS secured Runtime, you'll have to create a keystore and import your certificate inside.

The idea is then to configure the scripts to use the keystore containing the given certificate.

After having create your keystore, you can configure it in the scripts.

Lead to Runtime's installation folder, and open "initvariables.bat" or "initvariables.sh" depending on your system.

Then add the following options in the  "STAMBIA_STARTCOMMAND_VM_PROPERTIES" variable:

-Djavax.net.ssl.trustStore=<keystore file path> -Djavax.net.ssl.trustStoreType=<keystore_type>-Djavax.net.ssl.trustStorePassword=<keystore and key password>

 

Example for initvariables.bat:

set STAMBIA_STARTCOMMAND_VM_PROPERTIES=-Djavax.net.ssl.trustStore=D:/certificates/mykeystore.jks -Djavax.net.ssl.trustStoreType=jks -Djavax.net.ssl.trustStorePassword=keystorepass

 

Example for initvariable.sh:

STAMBIA_STARTCOMMAND_VM_PROPERTIES= -Djavax.net.ssl.trustStore=D:/certificates/mykeystore.jks -Djavax.net.ssl.trustStoreType=jks -Djavax.net.ssl.trustStorePassword=keystorepass

 

Note that if already have some properties defined in this variable, simply add them at the end of the line, such as:

set STAMBIA_STARTCOMMAND_VM_PROPERTIES=-Dstambia.client.configuration="%STAMBIA_PROPERTIES_LOCATION%\client.xml" -Djavax.net.ssl.trustStore=D:/certificates/mykeystore.jks -Djavax.net.ssl.trustStoreType=jks -Djavax.net.ssl.trustStorePassword=keystorepass

 

Note that if you defined a password for protecting the certificate key when adding it in the keystore, this must be the same as the password of the keystore itself.

 

Ignoring certification checks

An alternative option for debugging or convenient purposes is to disable certificate checks for HTTPS Runtime communications.

This will allow to avoid having certificates errors if you want to connect to an HTTPS secured Runtime and you have not created and configured your keystore.

Communication will still be secured, this is only for the checks performed by Java to find if the certificate used for communicating is known.

For ignoring this check, add instead the following options:

-Dcom.stambia.runtime.https.ignoreCertCheck=true -Dcom.stambia.runtime.https.ignoreCertCheckProtocol=SSL

 

Example:

set STAMBIA_STARTCOMMAND_VM_PROPERTIES=-Dstambia.client.configuration="%STAMBIA_PROPERTIES_LOCATION%\client.xml" -Dcom.stambia.runtime.https.ignoreCertCheck=true -Dcom.stambia.runtime.https.ignoreCertCheckProtocol=SSL

 

Connecting from clients

Once you have configured your certificate, connecting to a Runtime through HTTPS is as simple as connecting to a Runtime with HTTP.

Refer to the following article to learn how to connect to Runtimes.

The only difference is to use "https" in the URL instead of "http".

 

 

You have no rights to post comments

Articles

Suggest a new Article!