Ensuring TIBCO Offer and Price Engine Security     

To ensure security within and among the components of TIBCO Offer and Price Engine, the following security provisions are provided.

Configuring SSL for TIBCO Offer and Price Engine

The Configuration of SSL for TIBCO Offer and Price Engine is available for both on cloud and on-premise.

Configuring on Cloud

The following section is added for testing purposes and is not recommended for the production environment. Currently, ingress is configured with SSL only for authorization service as a backend.

    Procedure
  1. To create a root certificate, run the following command:
     openssl req -x509 -nodes -sha256 -days 365 -newkey rsa:2048 -subj "/CN=test/O=TIBCO"
    -keyout lab-caroot.key -out lab-caroot.crt
  2. To create CSR for a service certificate, run the following command:
    openssl req -out ope-auth.csr -newkey rsa:2048 -nodes -keyout ope-auth.key -subj "/CN =
    ope-auth.test / O=auth-svc organization"
  3. To sign the certificate with the root CA, run the following command:
    openssl x509 -req -days 365 -CA lab-caroot.crt -CAkey lab-caroot.key -set_serial 0 -
    in ope-auth.csr -out ope-auth.crt
  4. To create K8s secret, run the following command:
    kubectl create secret tls tls-ope-auth --key=ope-auth.key --cert=ope-auth.crt
  5. Add the secrets in the auth ingress yaml file:
     ```yaml
     tls:
     - hosts:
     - ope-auth.test # This should match a DNS name in the Certificate
     secretName: tls-ope-auth # This should match the Certificate secretName

Enabling SSL for TIBCO Offer and Price Engine

    Procedure
  1. Go to the JAVA_11_HOME\bin directory and run the following commands:
    C:\jdk11\bin>keytool -genkey -alias ope -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -validity 365 -keystore ope.pkcs12 -storepass tibco123 -ext san=dns:configurator-svc.default.svc.cluster.local,dns:authorization-svc.default.svc.cluster.local,dns:ope-svc.default.svc.cluster.local,dns:localhost,dns:orchestrator-svc.default.svc.cluster.local,dns:aopd-svc.default.svc.cluster.local,dns:archival-svc.default.svc.cluster.local,dns:pc-svc.default.svc.cluster.local,dns:jeopardy-svc.default.svc.cluster.local
    What is your first and last name?
      [Unknown]:  ope-auth.test
    What is the name of your organizational unit?
      [Unknown]:  tibco
    What is the name of your organization?
      [Unknown]:  tibco
    What is the name of your City or Locality?
      [Unknown]:  Pune
    What is the name of your State or Province?
      [Unknown]:  Maharashtra
    What is the two-letter country code for this unit?
      [Unknown]:  IN
    Is CN=ope-auth.test, OU=tibco, O=tibco, L=Pune, ST=Maharashtra, C=IN correct?
      [no]:  Yes
      
      
    C:\jdk11\bin>keytool -export -alias ope -file ope123.crt -keystore ope.pkcs12
      
    C:\jdk11\bin>keytool -import -v -trustcacerts -alias ope2 -file ope123.crt -
    keystore cacerts.pkcs12 -keypass changeit
    
     

    When prompted, provide the password as 'changeit'.

  2. Copy cacerts.pkcs12 and ope.pkcs12 files from the JAVA_HOME\bin directory to the base/1.0 directory and modify base dockerfile accordingly.
    Example: copy ope.pkcs12 and cacerts to location /home/tibuser/tibco/ope/6.0
  3. Copy the cacerts.pkcs12 file inside the $OPE_HOME/roles/<Service_name>/standalone/config/ directory of each service.

  4. Run the copyLib.sh script from the roles directory.

  5. Run the copy-required-files.sh script.

  6. Modify the TIBCO OPE services (except authorization service )dockerfile for entrypoint as follows:
    ENTRYPOINT ["sh","-c", "/home/tibuser/tibco/ope/6.0/configurator/standalone/bin/
    start.sh
     -Djavax.net.ssl.trustStore=/home/tibuser/tibco/ope/6.0/cacerts.pkcs12 -Djavax.net.ssl.trustStorePassword=changeit --run=FG"]
  7. Create Docker images for all TIBCO OPE services.

  8. Now, update the ope_services/values.yaml file from the $OPE_HOME/helm directory as follows:
    1. Add the following properties:
       server_ssl_key_alias: ope
       server_ssl_key_store_password: tibco123
       server_ssl_key_store: /home/tibuser/tibco/ope/6.0/ope.pkcs12
       configuratorTrustStoreAbsoluteFilePath: /home/tibuser/tibco/ope/6.0/cacerts.pkcs12
       configuratorTrustStorePassword: changeit
       configuratorTrustStoreType: pkcs12
       configuratorServiceUrl: https://configurator-svc.default.svc.cluster.local:9090
       authorizationServiceTokenEndPoint: https://authorization-svc.default.svc.cluster.local:9091
       ope_url: https://ope-svc.default.svc.cluster.local:8090
       dataStoreUrl: https://redatastore-svc.default.svc.cluster.local:8094
       shoppingcart_url: https://shoppingcart-svc.default.svc.cluster.local:8091
        authorizationServiceTokenEndPoint: https://authorization-svc.default.svc.cluster.local:9091
        configuratorServiceUrl: https://configurator-svc.default.svc.cluster.local:9090
        catalogServiceBaseUrl: https://catalog-svc.default.svc.cluster.local:9092
        catalogServiceUrl: https://catalog-svc.default.svc.cluster.local:9092
      
      
    2. Update the scheme for each application to HTTPS.
      Example: In the configurator application-
       readinessProbe:
              failureThreshold: 3
              httpGet:
                path: /management/health/readiness
                port: 9090
                scheme: HTTPS
              periodSeconds: 300
              successThreshold: 1
              timeoutSeconds: 3
          livenessProbe:
              failureThreshold: 3
              httpGet:
                path: /management/health/liveness
                port: 9090
                scheme: HTTPS
              periodSeconds: 300
              successThreshold: 1
              timeoutSeconds: 3
  9. Specify the backend protocol as HTTPS for the Ingress in the ope_services/templates/ope_ingress.yaml file.
    Example of using the Nginx Ingress:
    annotations:
    nginx.ingress.kubernetes.io/backend-protocol: https		
    
  10. Create the required users from the authorization service and upload required metadata, app_properties, and config files as per components from the configurator service.
    The values.yaml file contains the required properties for starting authorization service, configurator service, and configurator UI services.

Configuring On-premise

    Procedure
  1. Go to the JAVA_11_HOME\bin directory and run the following commands:
    keytool -genkey -alias ope -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -validity 365 -keystore ope.pkcs12 -storepass tibco123 -ext san=ip:10.x.x.x,dns:localhost,ip:127.0.0.1
    keytool -export -alias ope -file ope123.crt -keystore ope.pkcs12
    keytool -import -v -trustcacerts -alias ope2 -file ope123.crt -keystore cacerts.pkcs12  -keypass changeit

    When prompted, provide the password as 'changeit'.

  2. Copy cacerts.pkcs12 and ope.pkcs12 files from <JAVA_HOME>/bin directory at a location (such as /home/OPE_600/tibco/ope/6.0/ssl), where your TIBCO OPE installation is present on VM.

  3. Copy cacerts.pkcs12 inside the $OPE_HOME/roles/<Service_name>/standalone/config/ directory of each service.
  4. For authorization service, modify the application.properties file present inside the config directory for the following properties:
    server.ssl.key-alias=ope
    server.ssl.key-store-password=tibco123
    server.ssl.key-store=/home/OPE_600/tibco/ope/6.0/ssl/ope.pkcs12
    #Allowed Cross Origin Resources
    allowedCorsOrigins=https://10.x.x.x:9091,https://10.x.x.x:9090,https://10.x.x.x:9092,
    https://10.x.x.x:9094,https://10.x.x.x:9099,https://10.x.x.x:9095,https://10.x.x.x:9102,
    https://10.x.x.x:9100,https://10.x.x.x:9093,https://10.x.x.x:9089,https://10.x.x.x:9104,
    https://10.x.x.x:8090,https://10.x.x.x:8093,https://10.x.x.x:8090
  5. Run the ./start.sh script to start the authorization service.

  6. Create the required users. For more information, see 'Create User' topic in the TIBCO® Offer and Price Engine User Guide.

  7. Add the following properties for the configurator service:
    server.ssl.key-alias=ope
    server.ssl.key-store-password=tibco123
    server.ssl.key-store=/home/OPE_600/tibco/ope/6.0/ssl/ope.pkcs12
  8. Start configurator service by running the following command:
    ./start.sh  -Djavax.net.ssl.trustStore=/home/OPE_600/tibco/ope/6.0/ssl/cacerts.pkcs12 -Djavax.net.ssl.trustStorePassword=changeit
    
  9. Modify the app_properties file from the $OPE_HOME/seed-data/app-properties directory for the following properties (also required minimum configurations by users):
    1. For Catalog service, there are no changes.
    2. For Common Configuration, under 'Authorization Server Configuration Properties Used for Swagger UI':
      authorizationServiceTokenEndPoint = https://10.x.x.x:9091
      
    3. For Recommendation Engine Api service, under 'Data Store configuration':
      dataStoreUrl: https://localhost:8094/data-store
    4. For Recommendation Engine Core under 'Recommendation Engine Core Initial':
      catalogServiceUrl: https://localhost:9092
      dataStoreUrl: https://localhost:8094
      
    5. For Recommendation Engine Data Mapper under 'Recommendation Engine':
      dataStoreUrl: https://localhost:8094
    6. For Shopping Cart under 'Shopping Cart Initial Configuration':
      ope.url
      https://localhost:8090
  10. Upload the metadata, app-properties, and config files from the Swagger UI. See 'Upload Configuration File for Application ID' section in the TIBCO® Offer and Price Engine Web Services Guide.

  11. For configurator-ui and rest of the TIBCO OPE services, update the application.properties file as follows:
    server.ssl.key-alias=ope
    server.ssl.key-store-password=tibco123
    server.ssl.key-store= /home/OPE_600/tibco/ope/6.0/ssl/ope.pkcs12
    configuratorTrustStoreAbsoluteFilePath= /home/OPE_600/tibco/ope/6.0/ssl/cacerts.pkcs12
    configuratorTrustStorePassword=changeit
    configuratorTrustStoreType=pkcs12		
    
  12. Start all services by following command from the <service-name>/bin diretory:
    ./start.sh  -Djavax.net.ssl.trustStore=/home/OPE_600/tibco/ope/6.0/ssl/cacerts.pkcs12 -Djavax.net.ssl.trustStorePassword=changeit		
    

Encrypt Password Utility

  1. In the $OPE_HOME/samples/EncryptPWDUtility/standalone/bin directory, run startEncryption.sh (for Linux) or startEncryption.ps1 (for Windows).
ResultThe password encryption and decryption can be done from EncryptPWDUtility service swagger APIs .