Configure Secure Services with TIBCO API Exchange Gateway

The backend services may or may not require X.509 client authentication. The Is Anonymous flag for a target service determines if the client authentication is required or not. The client authentication, also known as mutual SSL authentication is required if the Is Anonymous flag is set to false. If the Is Anonymous flag is set to true,the service does not require the authentication of client.

	When the authentication policies are enforced on a SSL enabled target service, make sure to set the classpath in the ASG_HOME/bin/asg-engine.tra file. The classpath must include the TIBCO_HOME/tools/lib directory, and can be set using the following variable: tibco.env.CUSTOM_EXT_PREPEND_CP

To use the services, define the DSS properties in a file. The DSS properties file is used during the configuration of the service using the Config UI. See Configuring Services.

This section explains the properties required to use the back-end services using the HTTPs transport.

Trust Identity Provider (TIP) properties are used if the "Is Anonymous" flag is set to true for any target service. TIBCO API Exchange Gateway supports the one way SSL authentication , that is, when the service is accessed by the Core Engine and the service does not require the authentication of the client.

Use service when no authentication of the client required (one way SSL).

See the following properties:

Table SSL Authentication Properties for Service explains the properties for SSL authentication (one way SSL authentication) for the service..

Table 99 SSL Authentication Properties for Service
Property	Description
com.tibco.trinity.runtime.core.provider.identity.trust.trustStoreServiceProvider
	Specifies that trust store service provider uses keystores for credentials. By default, this is configured to use internal implementation and should not be changed. It is configured as follows: class:com.tibco.trinity.runtime.core.provider.credential.keystore
com.tibco.trinity.runtime.core.provider.credential.keystore.truststore.keyStoreLocation
	Specifies the location(s) of the keystore.
com.tibco.trinity.runtime.core.provider.credential.keystore.truststore.keyStorePassword
	Specifies the password to unlock the keystore.
com.tibco.trinity.runtime.core.provider.credential.keystore.truststore.keyStoreRefreshInterval
	Specifies the refresh interval (milliseconds).
com.tibco.trinity.runtime.core.provider.credential.keystore.truststore.keyStoreType
	Specifies the keystore type. Supported formats are JKS,PKCS12.

Table 99 SSL Authentication Properties for Service

Property

Description

com.tibco.trinity.runtime.core.provider.identity.trust.trustStoreServiceProvider

Specifies that trust store service provider uses keystores for credentials. By default, this is configured to use internal implementation and should not be changed. It is configured as follows:

class:com.tibco.trinity.runtime.core.provider.credential.keystore

com.tibco.trinity.runtime.core.provider.credential.keystore.truststore.keyStoreLocation

Specifies the location(s) of the keystore.

com.tibco.trinity.runtime.core.provider.credential.keystore.truststore.keyStorePassword

Specifies the password to unlock the keystore.

com.tibco.trinity.runtime.core.provider.credential.keystore.truststore.keyStoreRefreshInterval

Specifies the refresh interval (milliseconds).

com.tibco.trinity.runtime.core.provider.credential.keystore.truststore.keyStoreType

Specifies the keystore type. Supported formats are JKS,PKCS12.

Subject Identity Provider (SIP) properties are used if the "Is Anonymous" flag is set to false for any service. API Exchange Gateway supports the mutual SSL authentication to access the service.

Using service when client authentication (mutual SSL authentication) required.