Configuring SSL for TIBCO® Order Management
The Configuration of SSL for TIBCO® Order Management is available for both on cloud and on-premise.
Configuring on the Cloud
The following section is added for testing purposes and is not recommended for the production environment. Currently, ingress is configured with SSL only for authorization service as a backend.
- Procedure
- To create a root certificate, run the following command:
openssl req -x509 -nodes -sha256 -days 365 -newkey rsa:2048 -subj "/CN=test/O=TIBCO" -keyout lab-caroot.key -out lab-caroot.crt
- To create CSR for a service certificate, run the following command:
openssl req -out om-auth.csr -newkey rsa:2048 -nodes -keyout om-auth.key -subj "/CN = om-auth.test / O=auth-svc organization"
- To sign the certificate with the root CA, run the following command:
openssl x509 -req -days 365 -CA lab-caroot.crt -CAkey lab-caroot.key -set_serial 0 - in om-auth.csr -out om-auth.crt
- To create the Kubernetes secret, run the following command:
kubectl create secret tls tls-om-auth --key=om-auth.key --cert=om-auth.crt
- Add the secrets in the auth ingress YAML file:
```yaml tls: - hosts: - om-auth.test # This should match a DNS name in the Certificate secretName: tls-om-auth # This should match the Certificate secretName
Enabling SSL for TIBCO® Order Management
- Procedure
- Go to the
JAVA_17_HOME\bin directory and run the following commands:
keytool -genkeypair -alias om -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -validity 365 -keystore om.pkcs12 -storepass tibco123 -ext san=ip:10.xx.xx.xx,dns:10.x.x.x,ip:127.0.0.1 keytool -export -alias om -file om123.crt -keystore om.pkcs12 keytool -import -v -trustcacerts -alias om2 -file om123.crt -keystore cacerts.pkcs12 -keypass changeit
When prompted, provide the password as 'changeit'.
- Copy
cacerts.pkcs12
andom.pkcs12
files from the JAVA_HOME\bin directory to the base/1.0 directory and modify the base Dockerfile accordingly.Example: copyom.pkcs12
and cacerts to location /home/tibuser/tibco/om/6.1 -
Copy the
cacerts.pkcs12
file inside the$OM_HOME/roles/<Service_name>/standalone/config/
directory of each service. -
Run the
copyLib.sh
script from the roles directory. -
Run the
copy-required-files.sh
script. - Modify the Order Management services (except authorization service)Dockerfile for entrypoint as follows:
ENTRYPOINT ["sh","-c", "/home/tibuser/tibco/om/6.1/configurator/standalone/bin/ start.sh -Djavax.net.ssl.trustStore=/home/tibuser/tibco/om/6.1/roles/<service_name>/
standalone/config/cacerts.
pkcs12 -Djavax.net.ssl.trustStorePassword=changeit --run=FG"] -
Create Docker images for all Order Management services.
- Now, update the
om_services/values.yaml
file from the$OM_HOME/helm
directory as follows:- Add the following properties:
server_ssl_key_alias: om server_ssl_key_store_password: tibco123 server_ssl_key_store: /home/tibuser/tibco/om/6.1/om.pkcs12 configuratorTrustStoreAbsoluteFilePath: /home/tibuser/tibco/om/6.1/cacerts.pkcs12 configuratorTrustStorePassword: changeit configuratorTrustStoreType: pkcs12 trustStoreFileName: cacerts.pkcs12 trustStorePassword: changeit trustStoreType: pkcs12 aopdTrustStoreFileName: cacerts.pkcs12 aopdTrustStorePassword: changeit aopdTrustStoreType: pkcs12 migrationTrustStoreFileName: cacerts.pkcs12 migrationTrustStorePassword: changeit migrationTrustStoreType: pkcs12
authServiceTrustStoreAbsoluteFilePath=/home/tibuser/tibco/
om/6.1/cacerts.pkcs12 authServiceTrustStorePassword=changeit authServiceTrustStoreType=pkcs12 allowedCorsOrigins: https://authorization-svc.default.svc.cluster.local:9091,https://configurator-svc.default.svc.cluster.local:9090,https://catalog-svc.default.svc.cluster.local:9092,https://aopd-svc.default.svc.cluster.local:9094,https://archival-svc.default.svc.cluster.local:9099,https://dataservice-svc.default.svc.cluster.local:9095,https://jeopardy-svc.default.svc.cluster.local:9102,https://migration-svc.default.svc.cluster.local:9100,https://orchestrator-svc.default.svc.cluster.local:9093,https://pc-svc.default.svc.cluster.local:9089,https://configuratorui-svc.default.svc.cluster.local:9104,https://om-catalog.test,https://om-archival.test,https://om-orchestrator.test,https://om-jeopardy.test,https://om-omsui.test,https://omsui-svc.default.svc.cluster.local:9097 com_tibco_af_omsui_httpChannelType: https authorizationServiceTokenEndPoint: https://authorization-svc.default.svc.cluster.local:9091 configuratorServiceUrl: https://configurator-svc.default.svc.cluster.local:9090 pcResourceExecuteRequestURL: https://pc-svc.default.svc.cluster.local:9089/planitem/
executionrequest pcResourceSuspendRequestURL: https://pc-svc.default.svc.cluster.local:9089/planitem/suspendrequest pcResourceActivateRequestURL: https://pc-svc.default.svc.cluster.local:9089/planitem/activaterequest pcResourceExtErrorHanlderRequestURL: https://pc-svc.default.svc.cluster.local:9089/planitem/
errorhandlerrequest feasibleRequestPathRequestURL: https://pc-svc.default.svc.cluster.local:9089/feasibility pqfRequestPathRequestURL: https://pc-svc.default.svc.cluster.local:9089/pqf pcResourceMileReleaseRequestURL: https://pc-svc.default.svc.cluster.local:9089/planitem/
milestonerelease archivalGetOrderDetailsURL: https://archival-svc.default.svc.cluster.local:9099/ordersByCriteria omServerOrderUrl: https://orchestrator-svc.default.svc.cluster.local:9093/order omServerWithdrawOrderPath: https://orchestrator-svc.default.svc.cluster.local:9093/order omServerOrderDetailsPath: https://orchestrator-svc.default.svc.cluster.local:9093/order orchestratorBaseUrl: https://orchestrator-svc.default.svc.cluster.local:9093 orchestratorServiceUrl: https://orchestrator-svc.default.svc.cluster.local:9093 catalogServiceBaseUrl: https://catalog-svc.default.svc.cluster.local:9092 catalogServiceUrl: https://catalog-svc.default.svc.cluster.local:9092 archivalServiceUrl: https://archival-svc.default.svc.cluster.local:9099 jeopardyServiceUrl: https://jeopardy-svc.default.svc.cluster.local:9102 aopdBaseUrl: https://aopd-svc.default.svc.cluster.local:9094 migrationURL: https://migration-svc.default.svc.cluster.local:9100/migration/order - Update the scheme for each application to HTTPS.
Example: In the configurator application-readinessProbe: failureThreshold: 3 httpGet: path: /management/health/readiness port: 9090 scheme: HTTPS periodSeconds: 300 successThreshold: 1 timeoutSeconds: 3 livenessProbe: failureThreshold: 3 httpGet: path: /management/health/liveness port: 9090 scheme: HTTPS periodSeconds: 300 successThreshold: 1 timeoutSeconds: 3
- Add the following properties:
- Specify the backend protocol as HTTPS for the Ingress in the
om_services/templates/om_ingress.yaml
file.
Example of using the Nginx Ingress:annotations: nginx.ingress.kubernetes.io/backend-protocol: https
- Create the required users from the authorization service and upload the required metadata,
app_properties, and config files as per components from the configurator
service.
Thevalues.yaml
file contains the required properties for starting authorization service, configurator service, and configurator UI services.
Configuring on-premises
- Procedure
- Go to the
JAVA17_HOME\bin directory and run the following commands:
keytool -genkey -alias om -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -validity 365 -keystore om.pkcs12 -storepass tibco123 -ext san=ip:10.x.x.x,dns:10.x.x.x,ip:127.0.0.1 keytool -export -alias om -file om123.crt -keystore om.pkcs12 keytool -import -v -trustcacerts -alias om2 -file om123.crt -keystore cacerts.pkcs12 -keypass changeit
When prompted, provide the password as 'changeit'.
-
Copy
cacerts.pkcs12
andom.pkcs12
files from the<JAVA_HOME>/bin
directory at a location (such as/home/OM_610/tibco/om/6.1/ssl
), where your Order Management installation is present on the virtual machine. - For authorization service, modify the
application.properties
file present inside theconfig
directory for the following properties:server.ssl.key-alias=om server.ssl.key-store-password=tibco123 server.ssl.key-store=/home/OM_610/tibco/om/6.1/ssl/om.pkcs12
#Allowed Cross Origin Resources allowedCorsOrigins=https://10.x.x.x:9091,https://10.x.x.x:9090,
https://10.x.x.x:9092,
https://10.x.x.x:9094,https://10.x.x.x:9099,https://
10.x.x.x:9095,
https://10.x.x.x:9102,
https://10.x.x.x:9100,https://10.x.x.x:9093,https://
10.x.x.x:9089,
https://10.x.x.x:9104,
https://10.x.x.x:8090,https://10.x.x.x:8093,https://
10.x.x.x:8090 -
Run the following command to start the authorization service.
./start.sh -Djavax.net.ssl.trustStore= /home/OM_610/tibco/om/6.1/ssl/cacerts.pkcs12
/cacerts.pkcs12 -Djavax.net.ssl.trustStorePassword=changeit -
Create the required users. For more information, see Create User
- Add the following properties for the configurator service:
server.ssl.key-alias=om server.ssl.key-store-password=tibco123 server.ssl.key-store=/home/OM_610/tibco/om/6.1/ssl/om.pkcs12
- Start the configurator service by running the following command:
./start.sh -Djavax.net.ssl.trustStore= /home/OM_610/tibco/om/6.1/ssl/cacerts.pkcs12
/cacerts.pkcs12 -Djavax.net.ssl.trustStorePassword=changeit - Modify the
app_properties
file from the$OM_HOME/seed-data/app-properties
directory for the following properties (also required minimum configurations by users):- For AOPD service, under 'Orchestrator Configuration':
orchestratorBaseUrl = https://10.x.x.x:9093 trustStoreFileName = cacerts.pkcs12 trustStorePassword = changeit trustStoreType = pkcs12
- For Archival service,
- Under 'Archival Engine Configurations':
allowedCorsOrigins = https://10.x.x.x:9097
- Under 'Orchestrator Configuration':
orchestratorBaseUrl = https://10.x.x.x:9093 trustStoreFileName = cacerts.pkcs12 trustStorePassword = changeit trustStoreType = pkcs12
- Under 'Archival Engine Configurations':
- For Catalog service,
- Under 'Catalog Engine Configuration':
allowedCorsOrigins=https://10.x.x.x:9097
- Under 'Catalog Engine Configuration':
- For Common Configuration, under 'Authorization Server Configuration Properties Used for Swagger UI':
authorizationServiceTokenEndPoint = https://10.x.x.x:9091
- For the Data service, there are no changes.
- For Jeopardy service,
- Under 'Catalog Service Configuration':
catalogServiceBaseUrl = https://10.x.x.x:9092 catalogServiceTrustStoreFileName = cacerts.pkcs12 catalogServiceTrustStorePassword = changeit catalogServiceTrustStoreType = pkcs12
- Under 'Jeopardy General Configuration':
allowedCorsOrigins = https://10.x.x.x:9097
- Under 'Orchestrator Service Configuration':
orchestratorBaseUrl = https://10.x.x.x:9093 orchestratorTrustStoreFileName = cacerts.pkcs12 orchestratorTrustStorePassword = changeit orchestratorTrustStoreType = pkcs12
- Under 'Catalog Service Configuration':
- For the Migration service, there are no changes.
- For Order Management System UI Service, under 'OMS UI Engine Configuration':
archivalServiceBaseUrl = https://10.x.x.x:9099 catalogServiceBaseUrl = https://10.x.x.x:9092 jeopardyBaseUrl = https://10.x.x.x:9102 orchestratorBaseUrl= https://10.x.x.x:9093
- For Orchestrator service,
- Under 'Orchestrator Functional Configuration':
allowedCorsOrigins=https://10.x.x.x:9097
- Under 'Orchestrator Functional Configuration':
- For tmfAdapter Service, under 'Orchestrator Service Configuration':
omServerOrderDetailsPath = https://10.x.x.x:9093/order omServerOrderUrl = https://10.x.x.x:9093/order omServerWithdrawOrderPath = https://10.x.x.x:9093/order
- For Broker Service, under 'Catalog Client Configuration':
catalogTrustStoreFileName = cacerts.pkcs12
catalogTrustStorePassword = changeit catalogTrustStoreType = pkcs12 catalogServiceBaseUrl = https://10.x.x.x:9092
- For AOPD service, under 'Orchestrator Configuration':
-
Modify the
application_metadata.json
property file. For each "applicationId", add "cacerts.pkcs12" and "om.pkcs12" (file names as per the ones created in step 1), under the "configurationFiles". -
Upload the metadata through the Configurator Swagger.
-
Upload the "om.pkcs12" and "cacerts.pkcs12" files for each service through the Configurator API along with the other Configuration files. See 'Upload Configuration File for Application ID' section in the TIBCO® Order Management Web Services Guide.
-
Copy "cacerts.pkcs12" to
$OM_HOME/roles/<configurator/configurator-ui/authorization-service>/standalone/config
directory. - For configurator-ui and the rest of the Order Management services, update the
application.properties
file as follows:server.ssl.key-alias=om server.ssl.key-store-password=tibco123 server.ssl.key-store=/home/OM_610/tibco/om/6.1/ssl/om.pkcs12 configuratorTrustStoreAbsoluteFilePath=cacerts.pkcs12 configuratorTrustStorePassword=changeit configuratorTrustStoreType=pkcs12
authServiceTrustStoreAbsoluteFilePath=cacerts.pkcs12 authServiceTrustStorePassword=changeit authServiceTrustStoreType=pkcs12 - Start all services by the following command from the
<service-name>/bin
directory:./start.sh -Djavax.net.ssl.trustStore= /home/OM_610/tibco/om/6.1/ssl/cacerts.pkcs12
/cacerts.pkcs12 -Djavax.net.ssl.trustStorePassword=changeit