Configuring ActiveMatrix BPM to Access a Client’s Public Certificate

You can configure TIBCO ActiveMatrix BPM so that the authentication provider resources can access a client’s public certificate.

Procedure

  1. Obtain the public root certificate that will be used by a client application to sign its message requests to a TIBCO ActiveMatrix BPM service. (The client must sign the message request using a private key associated with a certificate that forms part of a chain of trust to the public root certificate.)
  2. Create the trust store to be used by the Trust Keystore Provider resource template (amx.bpm.truststore.provider). By default, the template is configured to use a trust store with the following name and location:

    CONFIG_HOME\bpm\bpm_app_name\keystores\amx-bpm-wss-truststore.jks

  3. Add the public root certificate to the trust store.
    Note: You must use an external tool, such as the Java keytool utility, to create and manage the trust store. For example, the following keytool command could be used to create the default trust store and import a certificate called clientApp.cert into it. The alias extClient1 would be used to subsequently access this certificate. 
    keytool -import -file clientApp.cert -keystore C:\ProgramData\
amx-bpm\tibco\data\bpm\amx.bpm.app\keystores\amx-bpm-wss-truststore.jks -alias extClient1 -v

If you do not wish to use the default trust store you can create and use a different one. If you do so, you must:

  1. Edit the Location of Keystore, Password and Type fields for the amx.bpm.truststore.provider Keystore Provider resource template, to use the new trust store configuration.
  2. Re-install (Uninstall, then install) the amx.bpm.truststore.provider Keystore Provider resource instance to pick up the changes to the template.

Result

Warning: The default password used by the Trust Keystore Provider to access the trust store is password. As a security precaution, TIBCO recommend that you change the default password for this keystore, after which you must reconfigure the Trust Keystore Provider to use the new password.

See the TIBCO ActiveMatrix Administrator documentation for more information about how to perform these tasks.

Note: The Identity Keystore Provider and associated Keystore shown in Figure 1 are used to enable TIBCO ActiveMatrix BPM to sign outgoing messages - with the corresponding public root certificate being supplied to and used by the remote application to verify the signature.

Configuration of these resources is not required to enable TIBCO ActiveMatrix BPM to trust the client application. However, these resources can be used if mutual trust is required - that is, if the client application also needs to trust messages received from TIBCO ActiveMatrix BPM. See the TIBCO ActiveMatrix Administrator documentation for more information about how to configure these resources.

Warning: The default password used by the Identity Keystore Provider to access the keystore is password. As a security precaution, TIBCO recommends that you change the default password for this keystore, after which you must reconfigure the Identity Keystore Provider to use the new password.