Enabling SSL for TIBCO Order Management
- Procedure
- Go to the
JAVA_11_HOME\bin directory and run the following commands:
C:\jdk11\bin>keytool -genkey -alias om -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -validity 365 -keystore om.pkcs12 -storepass tibco123 -ext san=dns:configurator-svc.default.svc.cluster.local,dns:authorization-svc.default.svc.cluster.local,dns:ope-svc.default.svc.cluster.local,dns:localhost,dns:orchestrator-svc.default.svc.cluster.local,dns:aopd-svc.default.svc.cluster.local,dns:archival-svc.default.svc.cluster.local,dns:pc-svc.default.svc.cluster.local,dns:jeopardy-svc.default.svc.cluster.local What is your first and last name? [Unknown]: om-auth.test What is the name of your organizational unit? [Unknown]: tibco What is the name of your organization? [Unknown]: tibco What is the name of your City or Locality? [Unknown]: Pune What is the name of your State or Province? [Unknown]: Maharashtra What is the two-letter country code for this unit? [Unknown]: IN Is CN=om-auth.test, OU=tibco, O=tibco, L=Pune, ST=Maharashtra, C=IN correct? [no]: Yes C:\jdk11\bin>keytool -export -alias om -file om123.crt -keystore om.pkcs12 C:\jdk11\bin>keytool -import -alias om2 -file om123.crt -cacerts trustStorePassword=changeit
- Copy
om.pkcs12
file from the JAVA_HOME\bin directory and cacerts file from the JAVA_HOME\lib\security directory to the base/1.0 directory and modify base dockerfile accordingly.Example: copyom.pkcs12
and cacerts at location /home/tibuser/tibco/om/5.1 - Modify the Order Management services dockerfile for entrypoint as follows:
ENTRYPOINT ["sh","-c", "/home/tibuser/tibco/om/5.1/configurator/standalone/bin/start.sh -Djavax.net.ssl.trustStore=/home/tibuser/tibco/om/5.1/cacerts -Djavax.net.ssl.trustStorePassword=changeit --run=FG"]
- Create docker images for all Order Management services.
- From the helm chart side, modify the
values.yaml
file as follows:- Add the following properties:
server_ssl_key_alias: om server_ssl_key_store_password: tibco123 server_ssl_key_store: /home/tibuser/tibco/om/5.1/om.pkcs12
- Update the following properties:
authorizationServiceTokenEndPoint: https://authorization-svc.default.svc.cluster.local:9091/oauth/token configuratorServiceUrl: https://configurator-svc.default.svc.cluster.local:9090 orderArchivalserviceUrl: https://orchestrator-svc.default.svc.cluster.local:9093/v1/order/archival orderOrchAmendOrderUrl: https://orchestrator-svc.default.svc.cluster.local:9093/v1/amend orderOrchSuspendOrderUrl: https://orchestrator-svc.default.svc.cluster.local:9093/v1/order/suspend orderOrchActivateOrderUrl: https://orchestrator-svc.default.svc.cluster.local:9093/v1/order/activate orderOrchCancelOrderUrl: https://orchestrator-svc.default.svc.cluster.local:9093/v1/order/cancel orderOrchWithdrawOrderUrl: https://orchestrator-svc.default.svc.cluster.local:9093/v1/order orderOrchBulkActionUrl: https://orchestrator-svc.default.svc.cluster.local:9093/v1/orders/bulkaction orderOrchPlanPreviewUrl: https://orchestrator-svc.default.svc.cluster.local:9093/v1/planPreview orderPurgeOrderUrl: https://orchestrator-svc.default.svc.cluster.local:9093/v1/order/purgeOrder orderErrorHandlerreplyUrl: https://orchestrator-svc.default.svc.cluster.local:9093/v1/planitem/errorHandlerreply orderBulkErrorHandlerreplyUrl: https://orchestrator-svc.default.svc.cluster.local:9093/v1/planitem/bulkErrorHandlerreply aopdGeneratePlanResourceURL: https://aopd-svc.default.svc.cluster.local:9094/v1/generatePlan aopdAmendPlanResourceURL: https://aopd-svc.default.svc.cluster.local:9094/v1/plan/amend pcResourceExecuteRequestURL: https://pc-svc.default.svc.cluster.local:9089/v1/planitem/executionrequest pcResourceSuspendRequestURL: https://pc-svc.default.svc.cluster.local:9089/v1/planitem/suspendrequest pcResourceActivateRequestURL: https://pc-svc.default.svc.cluster.local:9089/v1/planitem/activaterequest pcResourceExtErrorHanlderRequestURL: https://pc-svc.default.svc.cluster.local:9089/v1/planitem/errorhandlerrequest feasibleRequestPathRequestURL: https://pc-svc.default.svc.cluster.local:9089/v1/feasibility pqfRequestPathRequestURL: https://pc-svc.default.svc.cluster.local:9089/v1/pqf pcResourceMileReleaseRequestURL: https://pc-svc.default.svc.cluster.local:9089/v1/planitem/milestonerelease archivalGetOrderDetailsURL: https://archival-svc.default.svc.cluster.local:9099/v1/ordersByCriteria omServerOrderUrl: https://orchestrator-svc.default.svc.cluster.local:9093/v1/order omServerWithdrawOrderPath: https://orchestrator-svc.default.svc.cluster.local:9093/v1/order omServerOrderDetailsPath: https://orchestrator-svc.default.svc.cluster.local:9093/v1/order orchURL: https://orchestrator-svc.default.svc.cluster.local:9093
- Change the scheme for each application to HTTPS.
Example: In the configurator application-
readinessProbe: failureThreshold: 3 httpGet: path: /management/ready port: 9090 scheme: HTTPS periodSeconds: 300 successThreshold: 1 timeoutSeconds: 3 livenessProbe: failureThreshold: 3 httpGet: path: /management/health port: 9090 scheme: HTTPS periodSeconds: 300 successThreshold: 1 timeoutSeconds: 3
- Add the following properties: