Security may be turned on or off per web service instance. In order to activate the security, please follow this guide.
Please oben the web user interface of tia Webservice and click on the gear symbol in the actions column of the webservice instance you wish to activate security for. This will open the configuration of the instance.
tia Web Service UI with highlighted gear-symbol in the Action column. |
---|
Please switch to the tab Security and tick the checkbox of the option UseSecurity.
Three types of security are being supported.
Checking, if the application’s name is signed
Sending read-/write-operations using configured certificate
Permission regarding content server operations (serverinfo, info, create, delete and get)
Signing an application’s name
Three fields should be configured in order to verify that the application name is signed.
PublicKeystore Path (May be found here OSGi → Configuration → WebService MainConfiguration
PublicKeystore Password (May be found here *OSGi → Configuration → WebService MainConfiguration)
PublicStoreAlias (Main → tia Web Service → Instance name → Gear-symbol → Security-tab → PublicStoreAlias
You may configure a keystore which consists of one or many certificates (with public keys). When a seckey is received by an instance, seckey’s signature will be verified against the alias configured at the web service’s instance configuration.
After enabling the UseSecurity setting and configuring a keystore alias, the signing of the application’s name will be verified using the public key mapped against the alias in the specified keystore.
Please note: It’s necessary to restart the instance in order for the security settings to take effect.
Using a certificate
The option Certificate within the Security-tab ( Main → tia Web Service → Gear-symbol in the Actions column of the instance) allows you to use different types of certificates. Currently you may choose from the following types.
KGS
ID3
none
Please note: In case the remote content server does not contain any certificate, you may send a certificate from a specific web service instance, by clicking the key-symbol.
tia Web Service UI with highlighted “Send certificate”-action. |
---|
It’s also possible to send certificates to every web service instance with configured security, by clicking the Send Certificates-button at the bottom of the instance overview.
Configuring permission for Content Server operations
An web service instance may be configured to allow certain or all operations. The following operations are possible.
serverinfo: The web service instance allows to execute serverinfo-requests against the defined content server endpoint.
info: The web service instance allows to execute info-requests against the defined content server endpoint.
create: The web service instance allows to execute create-requests for documents against the content server endpoint.
delete: The web service instance allows to execute delete-requests for documents against the defined endpoint
get: The web service instance allows to exeute get-requests for documents against the defined endpoint
Please note: These options and permissions work separated from the UseSecurity-option. Therefore the parameter UseSecurity does not has to be enabled.
You may find these options by opening the web userinterface → Main → tia Web Service → Gear-symbol in Actions-column of the instance → Security-tab
Opened web userinterface with highlighted request permission options |
---|
Importing a certificate with Public Key
In order to import a certificate with public key, which will be used for verfication, please follow this guide.
Open the web userinterface of the Web Service and go to Main → tia Web Service. Please make sure, that the Public Keystore Path, the PublicKeystore Password as well as the PublicStoreAlias have been configured.
Next to the Web Service instance please click on the Import-icon, which will open a dialog. In this dialog you’ll have enter the alias and locate the certificate by clicking the browse button.
After both have been set, please click on the Import-button.
In case an alias already exist or the certificate is not valid with a public key, an error will be generated.
Opened instance overview of Web Service with highlighted “Import”-button and opened “Import Public Key”-modal | ||
---|---|---|
Generating a Certificate Send Reuest (CSR)
This allows an instance to generate a certificate send request (CSR) at a specified folder to be signed by the authorized authority (e.g. CA). In order to use this feature please make sure that the following parameters have been configured in the instance.
The PrivateKeystore Path
The PrivateKeystore Password
The OutputCSRDirecotry Path
The PrivateStoreAlias
This will generate a CSR file using the name of an Instance. For example, if the instance name is “Cortex”, the CSR file will be “Cortex.csr”. It is expected that the CSR file will be signed by the ap-propriate authority and later a CER file will be sent back. Once the CER file has been received, please import the CER into the public Keystore by following the steps mentioned in 6.4.
CSR attributes must be confirgured before the request can be generated. Important attributes are located at Main -> KGS WebService -> Instance name properties -> Security.
Overriding Common Name
Usually an instance may use a certificate in case the common name (CN) consists of the application name itself. For example, if the application “Cortex” is to use a certificate which has the common name “test.kgs-software.net”, the request will not succeed. However, if the parameter “CNOverride” is configured to use “test”.
In this case, the request will succeed as the application “Cortex” is allowed to use the certificate with the common name, “test”. The PublicStoreAlias should also be configured with the correct alias.
Generating Signed Keys
We have developed a command-line tool to generated signed Text based on the input given by the user which is usually the application Name. However, there is also a possibility of generating the signed text from the GUI of the Framework. The option is located at “Main -> KGS Web Service -> Generate SecKeys” as shown below.
Web userinterface with highlighted “Generate SecKeys”-button. | ||
---|---|---|
After you click this option, a CSV file will be generated consisting of the application/instance names along with the signed texts (security keys). In order to use this option, following are the prerequisites.
The path to the directory should be configured where the CSV file will be generated.
Found at OSGi → Configuration -> WebService MainConfiguration -> SecurityKey PathThe path to a valid Private Keystore along with valid Password have to be configured
The PrivateStoreAlias for the respective application name should be configured
Found at Main -> KGS Web Service -> click on configure for the respective application (instance) -> Security -> PrivateStoreAlias