UDDI and SSL |
|
SSL/TLS secures outbound communication from Process Platform against eavesdropping and tampering. The SSL/TLS protocol encrypts the messages and authenticates the server with digital certificates. With digital certificates Process Platform can control which sites are trusted or not (like browsers do). The trust anchors of certificates are managed in Certificates tab of the Security Administration task.
Involved components
The UDDI application connector, see Working With External Web services, has a specific Process Platform library that handles the validation of the SSL protocol. This library requests the Security Administration service to validate the SSL certificate and does hostname verification.
SSL/TLS validation
The SSL/TLS validation in UDDI involves the following steps:
- Checking certificate validity, see Certificate Validation. The SSL protocol in general passes the whole chain of certificates to the client (Process Platform). This chain is passed to the Security Administration service in order to enable validation, even if the chain is not fully known within Process Platform. Integrity check on the chain is part of the Certificate validation algorithm.
- Verifying the requested server host name with the content of the certificate (subject or subjectAltName attributes).
- Setting relevant properties, see UDDI Connector Properties.
Hostname verification property
# Disable hostname verification against SSL certificate uddi.http.connection.verifyhostname=false
- Configuration flag Ignore Certificate Validation, see UDDI Service Connection Parameters Interface disables validation of the SSL connection. As a result certificates and hostnames will not be verified.
Client authentication with SSL
Client authentication over SSL is based on client certificates. The UDDI service needs access to the private key of the client certificate in order to authenticate itself with the external service. Currently that is possible with the uddi.keystore property, see
Accessing External Web service using Client Certificate
 |
This forces the UDDI service to work in backward-compatibility mode, where no integration with Security Administration is used. |
Compatibility
The integration with Certificates store in Security Administration is a new feature provided in the latest versions of Process Platform. The older versions needed to configure a java keystore in order to manipulate the trust anchors.
Backwards compatible with former versions:
- When uddi.keystore is configured, UDDI uses the old way of validating the SSL connection.
- Current default is integration with Security Adminstration. Default behavior is the same as before; integration with default java keystore (cacerts). This is established by adding the default java keystore (cacerts) as a read-only keystore to the Process Platform Certificate store.