Bookmark and Share Share   

Configuring Presto for SSL and Digital Certificates

Presto expects HTTP as the default transport protocol from clients to the Mashup Server. Connections from the Mashup Server to mashable information sources typically also use HTTP.

Presto supports HTTPS and SSL for connections from clients or connections to many types of mashables, such as web feeds or REST and WSDL web services, or through direct connections using EMML. Presto can also use digital certificates from clients in user authentication.



The certificate store, certificates and configuration needed to support SSL in Presto depends on the connection requirements, as shown below:

  Certificate Store and Certificates Store Configuration Presto Configuration
Key Trust Java App Server Presto Authentication Security Profiles

One-Way SSL to Presto.

         

Mutual to Presto

See Configure Mutual SSL Between Users and Presto.

     

One-Way SSL to Mashable Information Sources.

  can be in either      

One-Way SSL to Information Sources Using <directinvoke> in Mashups.

         

Mutual to Mashables

See Configure Mutual SSL Between Presto and Mashable Information Sources

     

See also The Certificate Store and Certificates for more information:

The Certificate Store and Certificates

Both key stores and trust stores are certificate stores to store and manage the key certificate pairs or public certificates used in secure connections with the SSL protocol. Key stores manage key certificate pairs and trust stores manage the public certificates of trusted peers.

Key Certificate Pairs

For Presto, the key certificate pair stored in the key store identifies the Mashup Server to users, for both one-way and mutual SSL. The key certificate pair identifies the Mashup Server to mashable information sources for mutual SSL.

You must generate a key certificate pair for Presto. Typically you also have the key certificate pair signed by a Certificate Authority and import this into the certificate store using the Java keytool utility or other certificate management tools.

Trusted Peer Cerficates

The public certificates from peers are stored in the trust store and identify users, for mutual SSL, or identify information sources (mashable or direct sources used in mashups), for one-way or mutual SSL.

When public certificates for peers are signed by well known Certificate Authorities, they are automatically verified and imported into the trust store. If public certificates are self-signed or signed by an unknown Certificate Authority (the CA root certificate is not found in the trust store), you must obtain and import the peers’ public certificates to the trust store before the first connection occurs during:

  • User login.

  • Mashable registration.

  • Direct invocation in mashups.

The Certificate Store

You can use a single certificate store as both the key store and trust store for Presto or you can use separate certificate stores. You can use an existing certificate store for Presto, such as the default certificate store shipped with some application servers. Or you can create a new certificate store using the Java keytool utility.

See Java keytool documentation for more information, commands and instructions on managing key certificate pairs, trusted certificates and certificate stores.

Configure Mutual SSL Between Users and Presto

The Mashup Server and users both exchange certificates. Presto can also be configured to use user digital certificates for authentication. The connection requires:

Configure Mutual SSL Between Presto and Mashable Information Sources

Both the information source and Presto exchange certificates.

For mashups, you must use the <invoke> statement to connect to information sources that require mutual SSL. The <directinvoke> statement in EMML only supports one-way SSL connections.

This scenario uses the SSL security profile that is provided in Presto. It requires:

  • Store and Certificates:

    • A certificate store as key store and trust store for the Mashup Server.

    • A key certificate pair for the Mashup Server.

    • Public certificates in the trust store for any information sources that have self-signed certificates.

      You must add self-signed certificates to the trust store before the mashable information source can be registered. See Trusted Peer Cerficates for more information.

    See The Certificate Store and Certificates for instructions.

  • Configuration in Presto for both the key store and trust store. See Configure Certificate Stores in Presto for instructions.

  • Security Profile configuration for each mashable information source. You provide this configuration when you register the mashable. See Mashable Authentication with Security Profiles for more information.

One-Way SSL to Presto

This requires:

One-Way SSL to Mashable Information Sources

This requires:

One-Way SSL to Information Sources Using <directinvoke> in Mashups

This requires:

  • A trust store for Presto. See The Certificate Store and Certificates for more information.

  • Configuration for the trust store in Java. See Update SSL Configuration for Java for instructions.

    EMML uses the certificate stores defined in Java.

  • Self-signed certificates, if any, for the information source using one-way SSL. You must add these certificates to the trust store before the mashup invokes these information sources. See Trusted Peer Cerficates for more information.