Connection on the Runtime by clients such as Stambia DI Designer or Stambia DI Production Analytics can be performed through the RMI, HTTP, and Web Services endpoints which are exposed.
Those services can be configured to be secured through TLS.
This article explains how to configure the Runtime for this.
Prerequisites:
- Stambia DI Designer 2020 (S20.0.0) or higher
- Stambia DI Runtime 2020 (S20.0.0) or higher
This article is dedicated to Stambia DI 2020 configuration.
On prior versions the configuration procedure was slightly different.
Refer to the following article to learn of to configure this on prior versions.
Runtime Configuration
About configuration
The configuration of TLS for RMI, HTTP, and Web Services endpoints security is done directly in the engineParameters.xml file that can be found under the following path in a default installation:
stambiaRuntime/properties/engineParameters.xml
This file will allow you to enable TLS security for the communications and to define the certificate to be used.
This will apply for Runtime connections through RMI, through HTTP, and also for the published Web Services endpoints.
Defining the certificate to be used
The first step is to define the certificate to be used for securing the communications.
To define the certificate, open Runtime's configuration file and lead to the "Services Transport Security" section to find the following parameters which are commented by default:
<parameters> <...> <engineParameters> <...> <parameter name="webServiceSecureProtocol" value="TLSv1.1"/> <parameter name="webServiceKeyStoreFile" value="D:/keystore/mykeystore.jks"/> <parameter name="webServiceKeyStoreType" value="JKS"/> <parameter name="webServiceKeyStorePassword" value="password"/>
<parameter name="webServiceKeyAlias" value="keyname"/>
<parameter name="webServiceKeyPassword" value="password"/>
<...>
</engineParameters>
<...>
</parameters>
Uncomment the parameters and define their values accordingly to your needs:
Parameter | Description |
webServiceSecureProtocol | Protocol to be used for securing the endpoints, like TLSv1.1 for instance. |
webServiceKeyStoreFile | Path to the Java keystore containing the certificate to use for securing the endpoints |
webServiceKeyStoreType | Java keystore type, such as 'JKS' |
webServiceKeyStorePassword | Password of the keystore file |
webServiceKeyAlias | Alias of the key which should be used,which must correspond to the alias of an existing key in the defined keystore. |
webServiceKeyPassword |
Password of the certificate key |
Enabling TLS for RMI communication
After having defined the certificate, an additional step is required to enable TLS on RMI communications.
Open Runtime's configuration file and change the value of the "rmiEnableTls" parameter to true:
<parameters>
<...>
<engineParameters>
<...>
<parameter name="rmiEnableTls" value="true"/>
<...>
</engineParameters>
<...>
</parameters>
Enabling TLS for HTTP communication
Defining the certificate will automatically secure HTTP communications, you have nothing more to configure.
Enabling TLS for Web Services endpoints
Defining the certificate will automatically secure Web Services endpoints, you have nothing more to configure.
Restarting the Runtime
Finally, restart the Runtime.
The different services you configured will now be secured through TLS.
You can see in startup log that the Runtime is now secured.
28/02/2020 14:23:26,667 - Runtime version: s20.0.0_20200214
28/02/2020 14:23:26,667 - Java version: 1.8.0_231 vendor: Oracle Corporation home: D:\java\1.8.0_231_jdk_64\jre
28/02/2020 14:23:26,853 - Internal Database is started: stambia:42100
28/02/2020 14:23:26,869 - Internal Database Web Server is started: http://stambia:42101
28/02/2020 14:23:29,698 - RMI server with TLS is started: rmis://stambia:42000
28/02/2020 14:23:32,148 - Scheduler is started
28/02/2020 14:23:33,240 - SOAP Endpoint: https://stambia:42200/wsi/DeliverableService?WSDL
28/02/2020 14:23:33,240 - SOAP Legacy "Non WSI-Compliant" Endpoint: https://stambia:42200/StambiaDeliveryService?WSDL
28/02/2020 14:23:33,241 - HTTP Rest v3 - Endpoint: https://stambia:42200/rest/StambiaDeliveryService/3/default/<path>
28/02/2020 14:23:33,241 - HTTP Rest v3 - UI: https://stambia:42200/rest/StambiaDeliveryService/3/default?swagger-ui
28/02/2020 14:23:33,241 - HTTP Rest v3 - Definition: https://stambia:42200/rest/StambiaDeliveryService/3/default?swagger2.json
28/02/2020 14:23:33,241 - HTTP Rest v2 - Endpoint: https://stambia:42200/rest/StambiaDeliveryService/2/<deliveryName>
28/02/2020 14:23:33,241 - HTTP Rest v1 - Endpoint: https://stambia:42200/rest/StambiaDeliveryService/1/<deliveryName>
Communicating with a Runtime through TLS secured communications
Your Runtime transport protocols now being secured, you can start communicating with it through the various clients.
For instance, you can try connecting to it from Stambia DI Designer, Stambia DI Production Analytics, and more...
As the communication is now secured, you may have to change the connection syntax to be able to connect from the client, and also to configure the clients so that they are aware of the certificate to be used to communicate with the Runtime.
Refer to the following article which explains the various syntaxes and configuration of the clients.