Configuring SSL for TIBCO® Order Management

The Configuration of SSL for TIBCO® Order Management is available for both on cloud and on-premise.

Configuring on the Cloud

The following section is added for testing purposes and is not recommended for the production environment. Currently, ingress is configured with SSL only for authorization service as a backend.

    Procedure
  1. To create a root certificate, run the following command:
     openssl req -x509 -nodes -sha256 -days 365 -newkey rsa:2048 -subj "/CN=test/O=TIBCO"
    -keyout lab-caroot.key -out lab-caroot.crt
  2. To create CSR for a service certificate, run the following command:
    openssl req -out om-auth.csr -newkey rsa:2048 -nodes -keyout om-auth.key -subj "/CN =
    om-auth.test / O=auth-svc organization"
  3. To sign the certificate with the root CA, run the following command:
    openssl x509 -req -days 365 -CA lab-caroot.crt -CAkey lab-caroot.key -set_serial 0 -
    in om-auth.csr -out om-auth.crt
  4. To create the Kubernetes secret, run the following command:
    kubectl create secret tls tls-om-auth --key=om-auth.key --cert=om-auth.crt
  5. Add the secrets in the auth ingress YAML file:
     ```yaml
     tls:
     - hosts:
     - om-auth.test # This should match a DNS name in the Certificate
     secretName: tls-om-auth # This should match the Certificate secretName

Enabling SSL for TIBCO® Order Management

    Procedure
  1. Go to the JAVA_17_HOME\bin directory and run the following commands:
    keytool -genkeypair -alias om -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -validity 365 -keystore om.pkcs12 -storepass tibco123 -ext san=ip:10.xx.xx.xx,dns:10.x.x.x,ip:127.0.0.1
    keytool -export -alias om -file om123.crt -keystore om.pkcs12
    keytool -import -v -trustcacerts -alias om2 -file om123.crt -keystore cacerts.pkcs12 -keypass changeit
    

    When prompted, provide the password as 'changeit'.

  2. Copy cacerts.pkcs12 and om.pkcs12 files from the JAVA_HOME\bin directory to the base/1.0 directory and modify the base Dockerfile accordingly.
    Example: copy om.pkcs12 and cacerts to location /home/tibuser/tibco/om/6.1
  3. Copy the cacerts.pkcs12 file inside the $OM_HOME/roles/<Service_name>/standalone/config/ directory of each service.

  4. Run the copyLib.sh script from the roles directory.

  5. Run the copy-required-files.sh script.

  6. Modify the Order Management services (except authorization service)Dockerfile for entrypoint as follows:
    ENTRYPOINT ["sh","-c", "/home/tibuser/tibco/om/6.1/configurator/standalone/bin/
    start.sh
     -Djavax.net.ssl.trustStore=/home/tibuser/tibco/om/6.1/roles/<service_name>/
    standalone/config/cacerts.
    pkcs12 -Djavax.net.ssl.trustStorePassword=changeit --run=FG"]
  7. Create Docker images for all Order Management services.

  8. Now, update the om_services/values.yaml file from the $OM_HOME/helm directory as follows:
    1. Add the following properties:
       server_ssl_key_alias: om
       server_ssl_key_store_password: tibco123
       server_ssl_key_store: /home/tibuser/tibco/om/6.1/om.pkcs12
       configuratorTrustStoreAbsoluteFilePath: /home/tibuser/tibco/om/6.1/cacerts.pkcs12
       configuratorTrustStorePassword: changeit
       configuratorTrustStoreType: pkcs12
       trustStoreFileName: cacerts.pkcs12
       trustStorePassword: changeit
       trustStoreType: pkcs12 
       	aopdTrustStoreFileName: cacerts.pkcs12
      	aopdTrustStorePassword: changeit
      	aopdTrustStoreType: pkcs12
      	migrationTrustStoreFileName: cacerts.pkcs12
      	migrationTrustStorePassword: changeit
      	migrationTrustStoreType: pkcs12
      authServiceTrustStoreAbsoluteFilePath=/home/tibuser/tibco/
      om/6.1/cacerts.pkcs12 authServiceTrustStorePassword=changeit authServiceTrustStoreType=pkcs12 allowedCorsOrigins: https://authorization-svc.default.svc.cluster.local:9091,https://configurator-svc.default.svc.cluster.local:9090,https://catalog-svc.default.svc.cluster.local:9092,https://aopd-svc.default.svc.cluster.local:9094,https://archival-svc.default.svc.cluster.local:9099,https://dataservice-svc.default.svc.cluster.local:9095,https://jeopardy-svc.default.svc.cluster.local:9102,https://migration-svc.default.svc.cluster.local:9100,https://orchestrator-svc.default.svc.cluster.local:9093,https://pc-svc.default.svc.cluster.local:9089,https://configuratorui-svc.default.svc.cluster.local:9104,https://om-catalog.test,https://om-archival.test,https://om-orchestrator.test,https://om-jeopardy.test,https://om-omsui.test,https://omsui-svc.default.svc.cluster.local:9097 com_tibco_af_omsui_httpChannelType: https authorizationServiceTokenEndPoint: https://authorization-svc.default.svc.cluster.local:9091 configuratorServiceUrl: https://configurator-svc.default.svc.cluster.local:9090 pcResourceExecuteRequestURL: https://pc-svc.default.svc.cluster.local:9089/planitem/
      executionrequest pcResourceSuspendRequestURL: https://pc-svc.default.svc.cluster.local:9089/planitem/suspendrequest pcResourceActivateRequestURL: https://pc-svc.default.svc.cluster.local:9089/planitem/activaterequest pcResourceExtErrorHanlderRequestURL: https://pc-svc.default.svc.cluster.local:9089/planitem/
      errorhandlerrequest feasibleRequestPathRequestURL: https://pc-svc.default.svc.cluster.local:9089/feasibility pqfRequestPathRequestURL: https://pc-svc.default.svc.cluster.local:9089/pqf pcResourceMileReleaseRequestURL: https://pc-svc.default.svc.cluster.local:9089/planitem/
      milestonerelease archivalGetOrderDetailsURL: https://archival-svc.default.svc.cluster.local:9099/ordersByCriteria omServerOrderUrl: https://orchestrator-svc.default.svc.cluster.local:9093/order omServerWithdrawOrderPath: https://orchestrator-svc.default.svc.cluster.local:9093/order omServerOrderDetailsPath: https://orchestrator-svc.default.svc.cluster.local:9093/order orchestratorBaseUrl: https://orchestrator-svc.default.svc.cluster.local:9093 orchestratorServiceUrl: https://orchestrator-svc.default.svc.cluster.local:9093 catalogServiceBaseUrl: https://catalog-svc.default.svc.cluster.local:9092 catalogServiceUrl: https://catalog-svc.default.svc.cluster.local:9092 archivalServiceUrl: https://archival-svc.default.svc.cluster.local:9099 jeopardyServiceUrl: https://jeopardy-svc.default.svc.cluster.local:9102 aopdBaseUrl: https://aopd-svc.default.svc.cluster.local:9094 migrationURL: https://migration-svc.default.svc.cluster.local:9100/migration/order
    2. Update the scheme for each application to HTTPS.

      Example: In the configurator application-
       readinessProbe:
              failureThreshold: 3
              httpGet:
                path: /management/health/readiness
                port: 9090
                scheme: HTTPS
              periodSeconds: 300
              successThreshold: 1
              timeoutSeconds: 3
          livenessProbe:
              failureThreshold: 3
              httpGet:
                path: /management/health/liveness
                port: 9090
                scheme: HTTPS
              periodSeconds: 300
              successThreshold: 1
              timeoutSeconds: 3
  9. Specify the backend protocol as HTTPS for the Ingress in the om_services/templates/om_ingress.yaml file.

    Example of using the Nginx Ingress:
    annotations:
    nginx.ingress.kubernetes.io/backend-protocol: https		
    
  10. Create the required users from the authorization service and upload the required metadata, app_properties, and config files as per components from the configurator service.

    The values.yaml file contains the required properties for starting authorization service, configurator service, and configurator UI services.

Configuring on-premises

    Procedure
  1. Go to the JAVA17_HOME\bin directory and run the following commands:
    keytool -genkey -alias om -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -validity 365 -keystore om.pkcs12 -storepass tibco123 -ext san=ip:10.x.x.x,dns:10.x.x.x,ip:127.0.0.1
    keytool -export -alias om -file om123.crt -keystore om.pkcs12
    keytool -import -v -trustcacerts -alias om2 -file om123.crt -keystore cacerts.pkcs12  -keypass changeit

    When prompted, provide the password as 'changeit'.

  2. Copy cacerts.pkcs12 and om.pkcs12 files from the <JAVA_HOME>/bin directory at a location (such as /home/OM_610/tibco/om/6.1/ssl), where your Order Management installation is present on the virtual machine.

  3. For authorization service, modify the application.properties file present inside the config directory for the following properties:
    server.ssl.key-alias=om
    server.ssl.key-store-password=tibco123
    server.ssl.key-store=/home/OM_610/tibco/om/6.1/ssl/om.pkcs12
    #Allowed Cross Origin Resources
    allowedCorsOrigins=https://10.x.x.x:9091,https://10.x.x.x:9090,
    https://10.x.x.x:9092,
    https://10.x.x.x:9094,https://10.x.x.x:9099,https://
    10.x.x.x:9095,
    https://10.x.x.x:9102,
    https://10.x.x.x:9100,https://10.x.x.x:9093,https://
    10.x.x.x:9089,
    https://10.x.x.x:9104,
    https://10.x.x.x:8090,https://10.x.x.x:8093,https://
    10.x.x.x:8090
  4. Run the following command to start the authorization service.

    ./start.sh -Djavax.net.ssl.trustStore= /home/OM_610/tibco/om/6.1/ssl/cacerts.pkcs12 
    /cacerts.pkcs12 -Djavax.net.ssl.trustStorePassword=changeit
  5. Create the required users. For more information, see Create User

  6. Add the following properties for the configurator service:
    server.ssl.key-alias=om
    server.ssl.key-store-password=tibco123
    server.ssl.key-store=/home/OM_610/tibco/om/6.1/ssl/om.pkcs12
  7. Start the configurator service by running the following command:
    ./start.sh -Djavax.net.ssl.trustStore= /home/OM_610/tibco/om/6.1/ssl/cacerts.pkcs12 
    /cacerts.pkcs12 -Djavax.net.ssl.trustStorePassword=changeit
  8. Modify the app_properties file from the $OM_HOME/seed-data/app-properties directory for the following properties (also required minimum configurations by users):
    1. For AOPD service, under 'Orchestrator Configuration':
      orchestratorBaseUrl = https://10.x.x.x:9093
      trustStoreFileName = cacerts.pkcs12
      trustStorePassword = changeit
      trustStoreType = pkcs12
      
    2. For Archival service,
      • Under 'Archival Engine Configurations':
        allowedCorsOrigins = https://10.x.x.x:9097
        
      • Under 'Orchestrator Configuration':
        orchestratorBaseUrl = https://10.x.x.x:9093
        trustStoreFileName = cacerts.pkcs12
        trustStorePassword = changeit
        trustStoreType = pkcs12 
        
    3. For Catalog service,
      • Under 'Catalog Engine Configuration':
        allowedCorsOrigins=https://10.x.x.x:9097
        
    4. For Common Configuration, under 'Authorization Server Configuration Properties Used for Swagger UI':
      authorizationServiceTokenEndPoint = https://10.x.x.x:9091
      
    5. For the Data service, there are no changes.
    6. For Jeopardy service,
      • Under 'Catalog Service Configuration':
        catalogServiceBaseUrl = https://10.x.x.x:9092
        catalogServiceTrustStoreFileName = cacerts.pkcs12
        catalogServiceTrustStorePassword = changeit
        catalogServiceTrustStoreType = pkcs12
        
      • Under 'Jeopardy General Configuration':
        allowedCorsOrigins = https://10.x.x.x:9097
        
      • Under 'Orchestrator Service Configuration':
        orchestratorBaseUrl = https://10.x.x.x:9093
        orchestratorTrustStoreFileName = cacerts.pkcs12
        orchestratorTrustStorePassword = changeit
        orchestratorTrustStoreType = pkcs12 
        
    7. For the Migration service, there are no changes.
    8. For Order Management System UI Service, under 'OMS UI Engine Configuration':
      archivalServiceBaseUrl = https://10.x.x.x:9099
      catalogServiceBaseUrl = https://10.x.x.x:9092
      jeopardyBaseUrl = https://10.x.x.x:9102
      orchestratorBaseUrl= https://10.x.x.x:9093
      
    9. For Orchestrator service,
      • Under 'Orchestrator Functional Configuration':
        allowedCorsOrigins=https://10.x.x.x:9097
        
    10. For tmfAdapter Service, under 'Orchestrator Service Configuration':
      omServerOrderDetailsPath = https://10.x.x.x:9093/order
      omServerOrderUrl = https://10.x.x.x:9093/order
      omServerWithdrawOrderPath = https://10.x.x.x:9093/order 
      
    11. For Broker Service, under 'Catalog Client Configuration':
      catalogTrustStoreFileName = cacerts.pkcs12 
      catalogTrustStorePassword = changeit catalogTrustStoreType = pkcs12 catalogServiceBaseUrl = https://10.x.x.x:9092
  9. Modify the application_metadata.json property file. For each "applicationId", add "cacerts.pkcs12" and "om.pkcs12" (file names as per the ones created in step 1), under the "configurationFiles".

  10. Upload the metadata through the Configurator Swagger.

  11. Upload the "om.pkcs12" and "cacerts.pkcs12" files for each service through the Configurator API along with the other Configuration files. See 'Upload Configuration File for Application ID' section in the TIBCO® Order Management Web Services Guide.

  12. Copy "cacerts.pkcs12" to $OM_HOME/roles/<configurator/configurator-ui/authorization-service>/standalone/config directory.

  13. For configurator-ui and the rest of the Order Management services, update the application.properties file as follows:
    server.ssl.key-alias=om
    server.ssl.key-store-password=tibco123
    server.ssl.key-store=/home/OM_610/tibco/om/6.1/ssl/om.pkcs12
    configuratorTrustStoreAbsoluteFilePath=cacerts.pkcs12
    configuratorTrustStorePassword=changeit
    configuratorTrustStoreType=pkcs12
    authServiceTrustStoreAbsoluteFilePath=cacerts.pkcs12 authServiceTrustStorePassword=changeit authServiceTrustStoreType=pkcs12
  14. Start all services by the following command from the <service-name>/bin directory:
    ./start.sh -Djavax.net.ssl.trustStore= /home/OM_610/tibco/om/6.1/ssl/cacerts.pkcs12 
    /cacerts.pkcs12 -Djavax.net.ssl.trustStorePassword=changeit