Streaming Web Services Adapter TLS HTTPS Configuration

Products	Versions
TIBCO Streaming	10.6, 11.0 and later

Description

What are the configurations needed to enable https:// connections to the TIBCO Streaming Web Server Request and Response adapters?

Issue/Introduction

Settings needed to enable SSL/TLS encrypted https:// connections

Resolution

The "adapters, webservers" configuration found in src/main/configurations needs the following six additional settings:

SecurePort -- the number of the port to accept https:// connections
SSLKeyStorePath -- the path to the Java keystore (.jks) containing the server's private key and public certificate
SSLKeyStorePassword -- the password to access the keystore
SSLKeyStoreManagerPassword -- the password to access the key (usually identical to the keystore password)
SSLTrustStorePath -- the path to the Java Truststore (usually the same as the keystore)
SSLTrustStorePassword -- the password to access the truststore

Adding these results in a configuration that looks like this (example):

name = "WebServer.conf"
type = "com.tibco.ep.streambase.configuration.adapter"
version = "1.0.0"
configuration = {
  AdapterGroup = {
    adapters = {
      webservers = {
        sections = [ 
          {
            name = "webserver"
            settings = {
              GZipMimeTypes = "text/html,text/plain,text/xml,application/xhtml+xml,text/css,application/javascript,text/javascript,image/svg+xml"
              IdleTimeoutMS = "30000"
              OutputBufferSize = "32768"
              Port = "8080"
              RequestHeaderSize = "8192"
              ResponseHeaderSize = "8192"
              SendDateHeader = "false"
              SendServerVersion = "true"
              StartOnStartup = "true"
              WebSocketAsyncWriteTimeoutMS = "5000"
              WebSocketIdleTimeoutMS = "30000"
              id = "Web Server Port 8080"
              # additional settings for https:// access
              SecurePort = "8443"
              SSLKeyStorePath = "C:/keys/keystore.jks"
              SSLKeyStorePassword = "secret"
              SSLKeyStoreManagerPassword = "secret"
              SSLTrustStorePath = "C:/keys/keystore.jks"
              SSLTrustStorePassword = "secret"
            }
          }
        ]
      }
    }
  }
}

This results in a Web Server Request adapter that will receive https:// requests on port 8443, and http:// requests on port 8080. If you do not want to accept http:// requests, either block port 8080 at the system firewall, or accept the message into the application and immediately use the Web Server Response adapter to send a default reply with web result status "403" meaning "Forbidden".

To support SLL/TLS encryption, the keystore must have a public certificate identifying the system on which the Web Server Request adapter is running, by the fully qualified hostname identified by DNS lookup for this system's IP address. That certificate must be either directly trusted by the client application, or the client must trust a Certificate Authority (CA) which has signed the public certificate.

You may have multiple independent named "webserver" configurations if your application needs to host multiple independent web services, each responding on different ports.

Note that the Web Server Request and Response adapters DO NOT make use of the Java system properties:

"javax.net.ssl.keyStore" = "{path-to-.jks}" 
"javax.net.ssl.keyStorePassword" = "password"
"javax.net.ssl.trustStore" = "{path-to-.jks}"
"javax.net.ssl.trustStorePassword" = "password"

These may be set independently to support other adapters without interfering with the "webservers" configuration.

Testing and Working With Keystores and Certificates

To test this configuration you may use a self signed certificate, and place that certificate in the client's trusted certificate store. To generate a self-signed certificate for 'localhost' (the client and server must be on the same system), use command (example):
keytool -genkeypair -keyalg RSA -alias localhost -keystore keystore.jks -storepass secret -validity 360 -keysize 2048

Example keystore creation:

C:\keys>keytool -genkeypair -keyalg RSA -alias localhost -keystore keystore.jks -storepass secret -validity 360 -keysize 2048
What is your first and last name?
[Unknown]: localhost
What is the name of your organizational unit?
[Unknown]: Support
What is the name of your organization?
[Unknown]: TIBCO
What is the name of your City or Locality?
[Unknown]: Boston
What is the name of your State or Province?
[Unknown]: MA
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=localhost, OU=Support, O=TIBCO, L=Boston, ST=MA, C=US correct?
[no]: yes

This will also add a key to a keystore if the file alreay exists. Provide your own values.

In the configuration example above the application expects the keystore.jks file to be in C:\keys. Change the project WebServer.conf paths to match where the keystore.jks file resides in the filesystem.

To export the public certificate from the keystore for use by the client, use command with the alias provided for the key (example):
keytool -export -alias localhost -file certfile.cer -keystore keystore.jks
The certfile.cer may then be imported into the client's truststore. If the truststore is a Java .jks file, then the command is (example):
keytool -import -alias localhost -file certfile.cer -keystore truststore.jks

Common Errors

If you have not set SSLKeyStoreManagerPassword, or it is set incorrectly, then the key cannot be read and the application may report these errors:

ERROR PostWeb: Failed to start the web server on port 8080 secure port 8443
java.security.UnrecoverableKeyException: Get Key failed: Given final block not properly padded. Such issues can arise 
  if a bad key is used during decryption.
Caused by: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key 
  is used during decryption.

If you have not set SSLTrustStorePath and SSLTrustStorePassword then you will see this error when running from SB Studio:

ERROR PostWeb: Failed to start the web server on port 8080 secure port 8443
java.nio.file.AccessDeniedException: {project path}\src\main\eventflow

If the path to the keystore is incorrect:

ERROR PostWeb: Failed to start the web server on port 8080 secure port 8443
java.lang.IllegalStateException: no valid keystore

And if the keystore password is wrong, you will see this clear error:

ERROR PostWeb: Failed to start the web server on port 8080 secure port 8443
java.io.IOException: keystore password was incorrect

Further Debugging

If you need more information than provided by any error messages, you may turn on additional debug logging using these Java system properties:

A. Report the SSL/TLS ciphers and communication:
"-Djavax.net.debug=ssl,handshake"
B. Report the Jetty web service initialization:
"-Dorg.eclipse.jetty.util.log.class=org.eclipse.jetty.util.log.StdErrLog" "-Dorg.eclipse.jetty.LEVEL=DEBUG"

Place these in the StreamBaseEngine HOCON setting section "jvmArgs".

Additional Considerations

Since this configuration requires passwords, you may wish to encrypt your passwords in the configuration, and you may wish to provide those passwords from a substitution file. References to these common configurations may be found here:

TIBCO Streaming > StreamBase Admin Guide > StreamBase Security Model > Encrypting Sensitive Configuration Data
TIBCO Streaming > Configuration Guide > HOCON Configuration Introduction > HOCON Substitution Variables

Welcome to "KB Articles"