Welcome Guest! Log in
Stambia versions 2.x, 3.x, S17, S18, S19 and S20 are reaching End of Support January, 15th, 2024. Please consider upgrading to the supported Semarchy xDI versions. See Global Policy Support and the Semarchy Documentation.

The Stambia User Community is moving to Semarchy! All the applicable resources have already been moved or are currently being moved to their new location. Read more…


Connection on the Runtime by clients such as Stambia DI Designer or Stambia DI Production Analytics can be performed through the RMI, HTTP, and Web Services endpoints which are exposed.

Those services can be configured to be secured through TLS.

This article explains how to configure the Runtime for this.

This article is dedicated to Stambia DI Runtime S17.x.x configuration.

On higher versions the configuration procedure was slightly different.

Refer to the following article to learn of to configure this on higher versions.

 

Runtime Configuration

About configuration

The configuration of TLS for RMI, HTTP, and Web Services endpoints security is done directly in the engineParameters.xml file that can be found under the following path in a default installation:

stambiaRuntime/properties/engineParameters.xml

 

This file will allow you to enable TLS security for the communications and to define the certificate to be used.

This will apply for Runtime connections through RMI, through HTTP, and also for the published Web Services endpoints.

 

Enabling TLS for RMI communication

Prerequisites:

  • Stambia DI Designer S19.0.12 or higher
  • Stambia DI Runtime S17.6.0 or higher

 

When you want to secure RMI connections with TLS, you can proceed as follow.

Open Runtime's configuration file and change the value of the "rmiEnableTls" parameter to true:

 

<parameters>
    <...>
    <engineParameters>
        <...>
        <parameter name="rmiEnableTls" value="true"/>
        <...>
    </engineParameters>
    <...>
</parameters>

 

That's it, when restarting the Runtime the RMI service will be secured through TLS.

 

About the TLS version used

The TLS version used will vary depending on the JVM version used.

You can find below the standard for the 1.6, 1.7, and 1.8 Java versions.

Please refer to the Java reference documentation of your version for further information.

Java Version 1.6 1.7 1.8
TLS version used TLSv1 TLSv1 TLSv1.2

 

Enabling TLS for HTTP communication

Prerequisites:

  • Stambia DI Designer S19.0.21 or higher
  • Stambia DI Runtime S17.6.9 or higher

 

When you want to secure HTTP connections with TLS, you have to define the certificate to be used.

To define the certificate, open Runtime's configuration file and lead to the "Web Service HTTPS security" part that is commented by default:

 

<parameters>
    <...>
    <engineParameters>
        <...>
        <parameter name="webServiceSecureProtocol" value="TLSv1.1"/>
        <parameter name="webServiceKeyStoreFile" value="D:/keystore/mykeystore.jks"/>
        <parameter name="webServiceKeyStoreType" value="JKS"/> 
        <parameter name="webServiceKeyStorePassword" value="password"/> 
        <parameter name="webServiceKeyPassword" value="password"/>
        <...>
    </engineParameters>
    <...>
</parameters>

 

Uncomment the parameters and define their values accordingly to your needs:

 

Parameter Description
webServiceSecureProtocol Protocol to be used for securing the endpoints, like TLSv1.1 for instance.
webServiceKeyStoreFile Path to the Java keystore containing the certificate to use for securing the endpoints
webServiceKeyStoreType Java keystore type, such as 'JKS'
webServiceKeyStorePassword Password of the keystore file
webServiceKeyPassword Password of the certificate key

 

Finally, restart the Runtime, the HTTP communication endpoint will be secured through TLS.

 

Enabling TLS for Web Services endpoints

Prerequisites:

  • Stambia DI Runtime S17.4.3 or higher

 

When you want to secure Web Services endpoints, you have to define the certificate to be used.

This is the same procedure as for securing the HTTP communications.

Securing HTTP communication also secures Web Services endpoints, so if you followed the previous section to secure HTTP, you do not have to do any further configuration.

 

Securing Web Services endpoint is done through defining a certificate.

To define the certificate, open Runtime's configuration file and lead to the "Web Service HTTPS security" part that is commented by default:

 

<parameters>
    <...>
    <engineParameters>
        <...>
        <parameter name="webServiceSecureProtocol" value="TLSv1.1"/>
        <parameter name="webServiceKeyStoreFile" value="D:/keystore/mykeystore.jks"/>
        <parameter name="webServiceKeyStoreType" value="JKS"/> 
        <parameter name="webServiceKeyStorePassword" value="password"/> 
        <parameter name="webServiceKeyPassword" value="password"/>
        <...>
    </engineParameters>
    <...>
</parameters>

 

Uncomment the parameters and define their values accordingly to your needs:

 

Parameter Description
webServiceSecureProtocol Protocol to be used for securing the endpoints, like TLSv1.1 for instance.
webServiceKeyStoreFile Path to the Java keystore containing the certificate to use for securing the endpoints
webServiceKeyStoreType Java keystore type, such as 'JKS'
webServiceKeyStorePassword Password of the keystore file
webServiceKeyPassword Password of the certificate key

 

Finally, restart the Runtime, the Web Services endpoints will be secured through TLS.

 

Restarting the Runtime

When you modified something in Runtime's configuration file, you have to restart the Runtome for the changes to take effect.

Affter restarting, you can see in startup log that the Runtime is now secured.

28/02/2020 14:29:27,432 - Runtime version: s17.6.9_20191030
28/02/2020 14:29:27,432 - Java version: 1.8.0_231 vendor: Oracle Corporation home: D:\Java\1.8.0_231_jdk_64\jre
28/02/2020 14:29:27,649 - Internal Database is started: stambia:42100
28/02/2020 14:29:27,667 - Internal Database Web Server is started: http://stambia:42101
28/02/2020 14:29:30,512 - RMI server with TLS is started with embedded keystore: rmi://stambia:42000
28/02/2020 14:29:33,229 - Scheduler is started
28/02/2020 14:29:33,618 - SOAP Endpoint: https://stambia:42200/wsi/DeliverableService?WSDL
28/02/2020 14:29:33,618 - SOAP Legacy "Non WSI-Compliant" Endpoint: https://stambia:42200/StambiaDeliveryService?WSDL
28/02/2020 14:29:33,618 - HTTP Rest v3 - Endpoint: https://stambia:42200/rest/StambiaDeliveryService/3/default/<path>
28/02/2020 14:29:33,618 - HTTP Rest v3 - UI: https://stambia:42200/rest/StambiaDeliveryService/3/default?swagger-ui
28/02/2020 14:29:33,618 - HTTP Rest v3 - Definition: https://stambia:42200/rest/StambiaDeliveryService/3/default?swagger2.json
28/02/2020 14:29:33,618 - HTTP Rest v2 - Endpoint: https://stambia:42200/rest/StambiaDeliveryService/2/<deliveryName>
28/02/2020 14:29:33,618 - HTTP Rest v1 - Endpoint: https://stambia:42200/rest/StambiaDeliveryService/1/<deliveryName>

 

Communicating with a Runtime through TLS secured communications

Your Runtime RMI transport protocol now being secured, you can start communicating with it through the various clients.

For instance, you can try connecting to it from Stambia DI Designer, Stambia DI Production Analytics, and more...

As the communication is now secured, you may have to change the connection syntax to be able to connect from the client, and also to configure the clients so that they are aware of the certificate to be used to communicate with the Runtime.

 

Refer to the following article which explains the various syntaxes and configuration of the clients.

 

 

Articles

Suggest a new Article!