Configuring On Premise SSL for TIBCO Order Management

    Procedure
  1. Go to the JAVA_11_HOME\bin directory and run the following commands:
    keytool -genkey -alias om -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -validity 365 -keystore om.pkcs12 -storepass tibco123 -ext san=ip:10.x.x.x,dns:localhost,ip:127.0.0.1
    What is your first and last name?
    [Unknown]: om-auth.test
    What is the name of your organizational unit?
    [Unknown]: tibco
    What is the name of your organization?
    [Unknown]: tibco
    What is the name of your City or Locality?
    [Unknown]: Pune
    What is the name of your State or Province?
    [Unknown]: Maharashtra
    What is the two-letter country code for this unit?
    [Unknown]: IN
    Is CN=om-auth.test, OU=tibco, O=tibco, L=Pune, ST=Maharashtra, C=IN
    correct?
    [no]: Yes
    keytool -export -alias om -file om123.crt -keystore om.pkcs12
    keytool -import -v -trustcacerts -alias om2 -file om123.crt -keystore cacerts.pkcs12 -keypass changeit

    When prompted, provide the password as 'changeit'.

  2. Copy cacerts.pkcs12 and om.pkcs12 files from <JAVA_HOME>/bin directory at a location (such as /home/OM_510HF8/tibco/om/5.1/ssl), where your Order Management installation is present on VM.

  3. For authorization service and Configurator, modify the application.properties file present inside the config directory for the following properties:
    server.ssl.key-alias=om
    server.ssl.key-store-password=tibco123
    server.ssl.key-store=/home/OM_510HF8/tibco/om/5.1/ssl/om.pkcs12
    Note: TIBCO Order Management supports passwords in text format and also in encrypted format as shown in the following example:

    server.ssl.key-alias=om
    server.ssl.key-store-password=ENC(cfMrxokzKTm3zJJLpDW7Jg==)
    server.ssl.key-store=/home/OM_510HF8/tibco/om/5.1/ssl/om.pkcs12


    For password encryption, use the EncryptPWDUtility from the $OM_HOME/samples directory
  4. Run the ./start.sh script to start the authorization service and configurator.

  5. Create the required users in the authorization service. For more information, see "Create User" section in the TIBCO® Order Management Administration.

  6. For the configurator UI, modify the application.properties file present inside the config directory for the following properties and run the ./start.sh script to start the configurator UI:

    server.ssl.key-alias=om
    server.ssl.key-store-password=tibco123
    server.ssl.key-store=/home/OM_510HF8/tibco/om/5.1/ssl/om.pkcs12

    configuratorTrustStoreAbsoluteFilePath=/home/OM_510HF8/tibco/om/5.1/ssl/cacerts.pkcs12 configuratorTrustStorePassword=changeit configuratorTrustStoreType=pkcs12
    Note: TIBCO Order Management supports passwords in text format and also in encrypted format as shown in the following example:

    server.ssl.key-alias=om
    server.ssl.key-store-password=ENC(cfMrxokzKTm3zJJLpDW7Jg==)
    server.ssl.key-store=/home/OM_510HF8/tibco/om/5.1/ssl/om.pkcs12


    configuratorTrustStoreAbsoluteFilePath=/home/OM_510HF8/tibco/om/5.1/ssl/cacerts.pkcs12
    configuratorTrustStorePassword=ENC(Eae+k4PPZW0C8AfVsmzCag==)
    configuratorTrustStoreType=pkcs12


    For password encryption, use the EncryptPWDUtility from the $OM_HOME/samples directory
  7. For all the other services, modify the application.properties file present inside the config directory for the following properties and run the ./start.sh script to start the services:

    server.ssl.key-alias=om
    server.ssl.key-store-password=tibco123
    server.ssl.key-store=/home/OM_510HF8/tibco/om/5.1/ssl/om.pkcs12
    
    configuratorTrustStoreAbsoluteFilePath=/home/OM_510HF8/tibco/om/5.1/ssl/cacerts.pkcs12
    configuratorTrustStorePassword=changeit
    configuratorTrustStoreType=pkcs12

    javax.net.ssl.trustStore=/home/OM_510HF8/tibco/om/5.1/ssl/cacerts.pkcs12 javax.net.ssl.trustStorePassword=changeit
    Note: TIBCO Order Management supports passwords in text format and also in encrypted format as shown in the following example:

    server.ssl.key-alias=om
    server.ssl.key-store-password=ENC(cfMrxokzKTm3zJJLpDW7Jg==)
    server.ssl.key-store=/home/OM_510HF8/tibco/om/5.1/ssl/om.pkcs12


    configuratorTrustStoreAbsoluteFilePath=/home/OM_510HF8/tibco/om/5.1/ssl/cacerts.pkcs12
    configuratorTrustStorePassword=ENC(Eae+k4PPZW0C8AfVsmzCag==)
    configuratorTrustStoreType=pkcs12


    javax.net.ssl.trustStore=/home/OM_510HF8/tibco/om/5.1/ssl/cacerts.pkcs12
    javax.net.ssl.trustStorePassword=ENC(Eae+k4PPZW0C8AfVsmzCag==)


    For password encryption, use the EncryptPWDUtility from the $OM_HOME/samples directory

    Change the configuratorServiceUrl and authorizationServiceTokenEndPoint from "http://*.*" to "https://*.*" wherever applicable.

  8. Modify the app_properties file from the $OM_HOME/seed-data/app-properties directory for the following properties (also required minimum configurations by users):
    1. For AOPD service:
      • Under 'Orchestrator Configuration':

        "propName": "orchestratorBaseUrl" = "propValue": "https://localhost:9093"

      • Under 'AOPD Inventory Integration Configurations':

        "propName": "com.tibco.fom.oms.afi.aopd.merge.inventory.url" = "propValue": "https://localhost:8080/fsi-server/soapapi/v1/service"

    2. For Archival service, under 'Orchestrator Configuration':
      	"propName": "orderArchivalserviceUrl" = "propValue": "https://localhost:9093/v1/order/archival"
      	"propName": "orderOrchAmendOrderUrl" = "propValue": "https://localhost:9093/v1/amend"
      	"propName": "orderOrchSuspendOrderUrl" = "propValue": "https://localhost:9093/v1/order/suspend"
      	"propName": "orderOrchActivateOrderUrl" = "propValue": "https://localhost:9093/v1/order/activate"
      	"propName": "orderOrchCancelOrderUrl" = "propValue": "https://localhost:9093/v1/order/cancel"
      	"propName": "orderOrchWithdrawOrderUrl" = "propValue": "https://localhost:9093/v1/order"
      	"propName": "orderOrchBulkActionUrl" = "propValue": "https://localhost:9093/v1/orders/bulkaction"
      	"propName": "orderOrchPlanPreviewUrl" = "propValue": "https://localhost:9093/v1/planPreview"
      	"propName": "orderPurgeOrderUrl" = "propValue": "https://localhost:9093/v1/order/purgeOrder"
      	"propName": "orderErrorHandlerreplyUrl" = "propValue": "https://localhost:9093/v1/planitem/errorHandlerreply"
      	"propName": "orderBulkErrorHandlerreplyUrl" = "propValue": "https://localhost:9093/v1/planitem/bulkErrorHandlerreply"
      	"propName": "orderDetailsUrl" = "propValue": "https://localhost:9093/v1/order"
      	"propName": "orderExecutionPlanUrl" = "propValue": "https://localhost:9093/v1/order/plan"
      	"propName": "orderScxmlUrl" = "propValue": "https://localhost:9093/v1/order/scxml"
    3. For Catalog service, there are no changes.
    4. For Common service:
      • Under 'Authorization Server Configuration Properties Used for Swagger UI' category:

        "propName": "authorizationServiceTokenEndPoint" = "propValue": "https://localhost:9091/oauth/token"

      • Under 'Resource and Service Level Metrics' category:

        "propName": "management.metrics.export.elastic.host" = "propValue": "https://localhost:9200"

    5. For Data service, there are no changes.
    6. For Jeopardy service, there are no changes.
    7. For OMSUI service, under 'OMS UI Engine Configuration' category:
      "propName": "com.tibco.af.omsui.httpChannelType" = "propValue": "https"
    8. For Orch service,
      • under 'Aopd Configurations':
        "propName": "aopdBaseUrl" = "propValue": "https://localhost:9094"
      • under 'categoryName: Process-Component Configurations':
        	"propName": "pcResourceExecuteRequestURL" = "propValue": "https://localhost:9089/v1/planitem/executionrequest"
        	"propName": "pcResourceSuspendRequestURL" = "propValue": "https://localhost:9089/v1/planitem/suspendrequest"
        	"propName": "pcResourceActivateRequestURL" = "propValue": "https://localhost:9089/v1/planitem/activaterequest"
        	"propName": "pcResourceExtErrorHanlderRequestURL" = "propValue": "https://localhost:9089/v1/planitem/errorhandlerrequest"
        	"propName": "feasibleRequestPathRequestURL" = "propValue": "https://localhost:9089/v1/feasibility"
        	"propName": "pqfRequestPathRequestURL" = "propValue": "https://localhost:9089/v1/pqf"
        	"propName": "pcResourceMileReleaseRequestURL" = "propValue": "https://localhost:9089/v1/planitem/milestonerelease"
        	"propName": "pcResourceOpdErrorHandlerRequestURL" = "propValue": "https://localhost:9089/v1/plan/opdErrorHandlerRequest"
      • under 'Category Archival Service Configurations':
        "propName": "archivalGetOrderDetailsURL" = "propValue": "https://localhost:9099/v1/ordersByCriteria"
      • under 'Category Migration Service Configurations':
        "propName": "migrationURL" = "propValue": "https://localhost:9100/v1/migration/order"
      • under 'Category OPE Configuration':
        "propName": "opeOfferValidationSecureURL" = "propValue": "https://localhost:8181/opes/api/v1/offers/validate"
        "propName": "opeOfferValidationNonSecureURL" = "propValue": "https://localhost:9090/opes/api/v1/offers/validate"
        "propName": "opeGetAuthTokenURL" = "propValue": "https://localhost:8181/login"
    9. For TMF-OM-Adapter service, under 'Category Orchestrator Service Configuration':
      "propName": "omServerOrderUrl" = "propValue": "https://localhost:9093/v1/order"
      "propName": "omServerWithdrawOrderPath" = "propValue": "https://localhost:9093/v1/order"
      "propName": "omServerOrderDetailsPath" = "propValue": "https://localhost:9093/v1/order"