Ensuring TIBCO Offer and Price Engine Security
To ensure security within and among the components of TIBCO Offer and Price Engine, the following security provisions are provided.
-
Authorization Service: See the 'Authorization Service' section in the TIBCO® Offer and Price Engine User Guide.
Configuring SSL for TIBCO Offer and Price Engine
The Configuration of SSL for TIBCO Offer and Price Engine is available for both on cloud and on-premise.
Configuring on Cloud
The following section is added for testing purposes and is not recommended for the production environment. Currently, ingress is configured with SSL only for authorization service as a backend.
- Procedure
- To create a root certificate, run the following command:
openssl req -x509 -nodes -sha256 -days 365 -newkey rsa:2048 -subj "/CN=test/O=TIBCO" -keyout lab-caroot.key -out lab-caroot.crt
- To create CSR for a service certificate, run the following command:
openssl req -out ope-auth.csr -newkey rsa:2048 -nodes -keyout ope-auth.key -subj "/CN = ope-auth.test / O=auth-svc organization"
- To sign the certificate with the root CA, run the following command:
openssl x509 -req -days 365 -CA lab-caroot.crt -CAkey lab-caroot.key -set_serial 0 - in ope-auth.csr -out ope-auth.crt
- To create K8s secret, run the following command:
kubectl create secret tls tls-ope-auth --key=ope-auth.key --cert=ope-auth.crt
- Add the secrets in the auth ingress yaml file:
```yaml tls: - hosts: - ope-auth.test # This should match a DNS name in the Certificate secretName: tls-ope-auth # This should match the Certificate secretName
Enabling SSL for TIBCO Offer and Price Engine
- Procedure
- Go to the
JAVA_11_HOME\bin directory and run the following commands:
C:\jdk11\bin>keytool -genkey -alias ope -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -validity 365 -keystore ope.pkcs12 -storepass tibco123 -ext san=dns:configurator-svc.default.svc.cluster.local,dns:authorization-svc.default.svc.cluster.local,dns:ope-svc.default.svc.cluster.local,dns:localhost,dns:orchestrator-svc.default.svc.cluster.local,dns:aopd-svc.default.svc.cluster.local,dns:archival-svc.default.svc.cluster.local,dns:pc-svc.default.svc.cluster.local,dns:jeopardy-svc.default.svc.cluster.local What is your first and last name? [Unknown]: ope-auth.test What is the name of your organizational unit? [Unknown]: tibco What is the name of your organization? [Unknown]: tibco What is the name of your City or Locality? [Unknown]: Pune What is the name of your State or Province? [Unknown]: Maharashtra What is the two-letter country code for this unit? [Unknown]: IN Is CN=ope-auth.test, OU=tibco, O=tibco, L=Pune, ST=Maharashtra, C=IN correct? [no]: Yes C:\jdk11\bin>keytool -export -alias ope -file ope123.crt -keystore ope.pkcs12 C:\jdk11\bin>keytool -import -v -trustcacerts -alias ope2 -file ope123.crt - keystore cacerts.pkcs12 -keypass changeit
When prompted, provide the password as 'changeit'.
- Copy
cacerts.pkcs12
andope.pkcs12
files from the JAVA_HOME\bin directory to the base/1.0 directory and modify base dockerfile accordingly.Example: copyope.pkcs12
and cacerts to location /home/tibuser/tibco/ope/6.0 -
Copy the
cacerts.pkcs12
file inside the$OPE_HOME/roles/<Service_name>/standalone/config/
directory of each service. -
Run the
copyLib.sh
script from the roles directory. -
Run the
copy-required-files.sh
script. - Modify the TIBCO OPE services (except authorization service )dockerfile for entrypoint as follows:
ENTRYPOINT ["sh","-c", "/home/tibuser/tibco/ope/6.0/configurator/standalone/bin/ start.sh -Djavax.net.ssl.trustStore=/home/tibuser/tibco/ope/6.0/cacerts.pkcs12 -Djavax.net.ssl.trustStorePassword=changeit --run=FG"]
-
Create Docker images for all TIBCO OPE services.
- Now, update the
ope_services/values.yaml
file from the$OPE_HOME/helm
directory as follows:- Add the following properties:
server_ssl_key_alias: ope server_ssl_key_store_password: tibco123 server_ssl_key_store: /home/tibuser/tibco/ope/6.0/ope.pkcs12 configuratorTrustStoreAbsoluteFilePath: /home/tibuser/tibco/ope/6.0/cacerts.pkcs12 configuratorTrustStorePassword: changeit configuratorTrustStoreType: pkcs12 configuratorServiceUrl: https://configurator-svc.default.svc.cluster.local:9090 authorizationServiceTokenEndPoint: https://authorization-svc.default.svc.cluster.local:9091 ope_url: https://ope-svc.default.svc.cluster.local:8090 dataStoreUrl: https://redatastore-svc.default.svc.cluster.local:8094 shoppingcart_url: https://shoppingcart-svc.default.svc.cluster.local:8091 authorizationServiceTokenEndPoint: https://authorization-svc.default.svc.cluster.local:9091 configuratorServiceUrl: https://configurator-svc.default.svc.cluster.local:9090 catalogServiceBaseUrl: https://catalog-svc.default.svc.cluster.local:9092 catalogServiceUrl: https://catalog-svc.default.svc.cluster.local:9092
- Update the scheme for each application to HTTPS.
Example: In the configurator application-readinessProbe: failureThreshold: 3 httpGet: path: /management/health/readiness port: 9090 scheme: HTTPS periodSeconds: 300 successThreshold: 1 timeoutSeconds: 3 livenessProbe: failureThreshold: 3 httpGet: path: /management/health/liveness port: 9090 scheme: HTTPS periodSeconds: 300 successThreshold: 1 timeoutSeconds: 3
- Add the following properties:
- Specify the backend protocol as HTTPS for the Ingress in the
ope_services/templates/ope_ingress.yaml
file.
Example of using the Nginx Ingress:annotations: nginx.ingress.kubernetes.io/backend-protocol: https
- Create the required users from the authorization service and upload required metadata,
app_properties, and config files as per components from the configurator
service.
Thevalues.yaml
file contains the required properties for starting authorization service, configurator service, and configurator UI services.
Configuring On-premise
- Procedure
- Go to the
JAVA_11_HOME\bin directory and run the following commands:
keytool -genkey -alias ope -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -validity 365 -keystore ope.pkcs12 -storepass tibco123 -ext san=ip:10.x.x.x,dns:localhost,ip:127.0.0.1 keytool -export -alias ope -file ope123.crt -keystore ope.pkcs12 keytool -import -v -trustcacerts -alias ope2 -file ope123.crt -keystore cacerts.pkcs12 -keypass changeit
When prompted, provide the password as 'changeit'.
-
Copy
cacerts.pkcs12
andope.pkcs12
files from<JAVA_HOME>/bin
directory at a location (such as/home/OPE_600/tibco/ope/6.0/ssl
), where your TIBCO OPE installation is present on VM. - Copy
cacerts.pkcs12
inside the$OPE_HOME/roles/<Service_name>/standalone/config/
directory of each service. - For authorization service, modify the
application.properties
file present inside theconfig
directory for the following properties:server.ssl.key-alias=ope server.ssl.key-store-password=tibco123 server.ssl.key-store=/home/OPE_600/tibco/ope/6.0/ssl/ope.pkcs12
#Allowed Cross Origin Resources allowedCorsOrigins=https://10.x.x.x:9091,https://10.x.x.x:9090,https://10.x.x.x:9092,
https://10.x.x.x:9094,https://10.x.x.x:9099,https://10.x.x.x:9095,https://10.x.x.x:9102,
https://10.x.x.x:9100,https://10.x.x.x:9093,https://10.x.x.x:9089,https://10.x.x.x:9104,
https://10.x.x.x:8090,https://10.x.x.x:8093,https://10.x.x.x:8090 -
Run the
./start.sh
script to start the authorization service. -
Create the required users. For more information, see 'Create User' topic in the TIBCO® Offer and Price Engine User Guide.
- Add the following properties for the configurator service:
server.ssl.key-alias=ope server.ssl.key-store-password=tibco123 server.ssl.key-store=/home/OPE_600/tibco/ope/6.0/ssl/ope.pkcs12
- Start configurator service by running the following command:
./start.sh -Djavax.net.ssl.trustStore=/home/OPE_600/tibco/ope/6.0/ssl/cacerts.pkcs12 -Djavax.net.ssl.trustStorePassword=changeit
- Modify the
app_properties
file from the$OPE_HOME/seed-data/app-properties
directory for the following properties (also required minimum configurations by users):- For Catalog service, there are no changes.
- For Common Configuration, under 'Authorization Server Configuration Properties Used for Swagger UI':
authorizationServiceTokenEndPoint = https://10.x.x.x:9091
- For Recommendation Engine Api service, under 'Data Store configuration':
dataStoreUrl: https://localhost:8094/data-store
- For Recommendation Engine Core under 'Recommendation Engine Core Initial':
catalogServiceUrl: https://localhost:9092 dataStoreUrl: https://localhost:8094
- For Recommendation Engine Data Mapper under 'Recommendation Engine':
dataStoreUrl: https://localhost:8094
- For Shopping Cart under 'Shopping Cart Initial Configuration':
ope.url https://localhost:8090
-
Upload the
metadata
,app-properties
, andconfig
files from the Swagger UI. See 'Upload Configuration File for Application ID' section in the TIBCO® Offer and Price Engine Web Services Guide. - For configurator-ui and rest of the TIBCO OPE services, update the
application.properties
file as follows:server.ssl.key-alias=ope server.ssl.key-store-password=tibco123 server.ssl.key-store= /home/OPE_600/tibco/ope/6.0/ssl/ope.pkcs12 configuratorTrustStoreAbsoluteFilePath= /home/OPE_600/tibco/ope/6.0/ssl/cacerts.pkcs12 configuratorTrustStorePassword=changeit configuratorTrustStoreType=pkcs12
- Start all services by following command from the
<service-name>/bin
diretory:./start.sh -Djavax.net.ssl.trustStore=/home/OPE_600/tibco/ope/6.0/ssl/cacerts.pkcs12 -Djavax.net.ssl.trustStorePassword=changeit
Encrypt Password Utility
- In the $OPE_HOME/samples/EncryptPWDUtility/standalone/bin directory, run startEncryption.sh (for Linux) or startEncryption.ps1 (for Windows).