Connection on the Runtime by clients such as Stambia DI Designer or Stambia DI Production Analytics can be performed through the RMI, HTTP, and Web Services endpoints which are exposed.
Those services can be configured to be secured through TLS.
This article explains how to configure the Runtime for this.
This article is dedicated to Stambia DI Runtime S17.x.x configuration.
On higher versions the configuration procedure was slightly different.
Refer to the following article to learn of to configure this on higher versions.
Runtime Configuration
About configuration
The configuration of TLS for RMI, HTTP, and Web Services endpoints security is done directly in the engineParameters.xml file that can be found under the following path in a default installation:
stambiaRuntime/properties/engineParameters.xml
This file will allow you to enable TLS security for the communications and to define the certificate to be used.
This will apply for Runtime connections through RMI, through HTTP, and also for the published Web Services endpoints.
Enabling TLS for RMI communication
Prerequisites:
- Stambia DI Designer S19.0.12 or higher
- Stambia DI Runtime S17.6.0 or higher
When you want to secure RMI connections with TLS, you can proceed as follow.
Open Runtime's configuration file and change the value of the "rmiEnableTls" parameter to true:
<parameters>
<...>
<engineParameters>
<...>
<parameter name="rmiEnableTls" value="true"/>
<...>
</engineParameters>
<...>
</parameters>
That's it, when restarting the Runtime the RMI service will be secured through TLS.
About the TLS version used
The TLS version used will vary depending on the JVM version used.
You can find below the standard for the 1.6, 1.7, and 1.8 Java versions.
Please refer to the Java reference documentation of your version for further information.
Java Version | 1.6 | 1.7 | 1.8 |
TLS version used | TLSv1 | TLSv1 | TLSv1.2 |
Enabling TLS for HTTP communication
Prerequisites:
- Stambia DI Designer S19.0.21 or higher
- Stambia DI Runtime S17.6.9 or higher
When you want to secure HTTP connections with TLS, you have to define the certificate to be used.
To define the certificate, open Runtime's configuration file and lead to the "Web Service HTTPS security" part that is commented by default:
<parameters> <...> <engineParameters> <...> <parameter name="webServiceSecureProtocol" value="TLSv1.1"/> <parameter name="webServiceKeyStoreFile" value="D:/keystore/mykeystore.jks"/> <parameter name="webServiceKeyStoreType" value="JKS"/> <parameter name="webServiceKeyStorePassword" value="password"/> <parameter name="webServiceKeyPassword" value="password"/> <...> </engineParameters> <...> </parameters>
Uncomment the parameters and define their values accordingly to your needs:
Parameter | Description |
webServiceSecureProtocol | Protocol to be used for securing the endpoints, like TLSv1.1 for instance. |
webServiceKeyStoreFile | Path to the Java keystore containing the certificate to use for securing the endpoints |
webServiceKeyStoreType | Java keystore type, such as 'JKS' |
webServiceKeyStorePassword | Password of the keystore file |
webServiceKeyPassword | Password of the certificate key |
Finally, restart the Runtime, the HTTP communication endpoint will be secured through TLS.
Enabling TLS for Web Services endpoints
Prerequisites:
- Stambia DI Runtime S17.4.3 or higher
When you want to secure Web Services endpoints, you have to define the certificate to be used.
This is the same procedure as for securing the HTTP communications.
Securing HTTP communication also secures Web Services endpoints, so if you followed the previous section to secure HTTP, you do not have to do any further configuration.
Securing Web Services endpoint is done through defining a certificate.
To define the certificate, open Runtime's configuration file and lead to the "Web Service HTTPS security" part that is commented by default:
<parameters> <...> <engineParameters> <...> <parameter name="webServiceSecureProtocol" value="TLSv1.1"/> <parameter name="webServiceKeyStoreFile" value="D:/keystore/mykeystore.jks"/> <parameter name="webServiceKeyStoreType" value="JKS"/> <parameter name="webServiceKeyStorePassword" value="password"/> <parameter name="webServiceKeyPassword" value="password"/> <...> </engineParameters> <...> </parameters>
Uncomment the parameters and define their values accordingly to your needs:
Parameter | Description |
webServiceSecureProtocol | Protocol to be used for securing the endpoints, like TLSv1.1 for instance. |
webServiceKeyStoreFile | Path to the Java keystore containing the certificate to use for securing the endpoints |
webServiceKeyStoreType | Java keystore type, such as 'JKS' |
webServiceKeyStorePassword | Password of the keystore file |
webServiceKeyPassword | Password of the certificate key |
Finally, restart the Runtime, the Web Services endpoints will be secured through TLS.
Restarting the Runtime
When you modified something in Runtime's configuration file, you have to restart the Runtome for the changes to take effect.
Affter restarting, you can see in startup log that the Runtime is now secured.
28/02/2020 14:29:27,432 - Runtime version: s17.6.9_20191030
28/02/2020 14:29:27,432 - Java version: 1.8.0_231 vendor: Oracle Corporation home: D:\Java\1.8.0_231_jdk_64\jre
28/02/2020 14:29:27,649 - Internal Database is started: stambia:42100
28/02/2020 14:29:27,667 - Internal Database Web Server is started: http://stambia:42101
28/02/2020 14:29:30,512 - RMI server with TLS is started with embedded keystore: rmi://stambia:42000
28/02/2020 14:29:33,229 - Scheduler is started
28/02/2020 14:29:33,618 - SOAP Endpoint: https://stambia:42200/wsi/DeliverableService?WSDL
28/02/2020 14:29:33,618 - SOAP Legacy "Non WSI-Compliant" Endpoint: https://stambia:42200/StambiaDeliveryService?WSDL
28/02/2020 14:29:33,618 - HTTP Rest v3 - Endpoint: https://stambia:42200/rest/StambiaDeliveryService/3/default/<path>
28/02/2020 14:29:33,618 - HTTP Rest v3 - UI: https://stambia:42200/rest/StambiaDeliveryService/3/default?swagger-ui
28/02/2020 14:29:33,618 - HTTP Rest v3 - Definition: https://stambia:42200/rest/StambiaDeliveryService/3/default?swagger2.json
28/02/2020 14:29:33,618 - HTTP Rest v2 - Endpoint: https://stambia:42200/rest/StambiaDeliveryService/2/<deliveryName>
28/02/2020 14:29:33,618 - HTTP Rest v1 - Endpoint: https://stambia:42200/rest/StambiaDeliveryService/1/<deliveryName>
Communicating with a Runtime through TLS secured communications
Your Runtime RMI transport protocol now being secured, you can start communicating with it through the various clients.
For instance, you can try connecting to it from Stambia DI Designer, Stambia DI Production Analytics, and more...
As the communication is now secured, you may have to change the connection syntax to be able to connect from the client, and also to configure the clients so that they are aware of the certificate to be used to communicate with the Runtime.
Refer to the following article which explains the various syntaxes and configuration of the clients.