Configuring Presto for SSL and Digital Certificates
Presto expects HTTP as the default transport protocol from clients to the Mashup Server. Connections from the Mashup Server to mashable information sources typically also use HTTP.
Presto supports HTTPS and SSL for connections from clients or connections to many types of mashables, such as web feeds or REST and WSDL web services, or through direct connections using EMML. Presto can also use digital certificates from clients in user authentication.
The certificate store, certificates and configuration needed to support SSL in Presto depends on the connection requirements, as shown below:
| Certificate Store and Certificates | Store Configuration | Presto Configuration | |||||
|---|---|---|---|---|---|---|---|
| Key | Trust | Java | App Server | Presto | Authentication | Security Profiles | |
 |
|
||||||
Mutual to Presto |
|
|
|
|
|||
|
can be in either | ||||||
One-Way SSL to Information Sources Using <directinvoke> in Mashups. |
|
|
|||||
Mutual to Mashables See Configure Mutual SSL Between Presto and Mashable Information Sources |
|
|
|
|
|||
See also The Certificate Store and Certificates for more information:
The Certificate Store and Certificates
Both key stores and trust stores are certificate stores to store and manage the key certificate pairs or public certificates used in secure connections with the SSL protocol. Key stores manage key certificate pairs and trust stores manage the public certificates of trusted peers.
Key Certificate Pairs
For Presto, the key certificate pair stored in the key store identifies the Mashup Server to users, for both one-way and mutual SSL. The key certificate pair identifies the Mashup Server to mashable information sources for mutual SSL.
You must generate a key certificate pair for Presto. Typically you also have the key certificate pair signed by a Certificate Authority and import this into the certificate store using the Java keytool utility or other certificate management tools.
Trusted Peer Cerficates
The public certificates from peers are stored in the trust store and identify users, for mutual SSL, or identify information sources (mashable or direct sources used in mashups), for one-way or mutual SSL.
When public certificates for peers are signed by well known Certificate Authorities, they are automatically verified and imported into the trust store. If public certificates are self-signed or signed by an unknown Certificate Authority (the CA root certificate is not found in the trust store), you must obtain and import the peers’ public certificates to the trust store before the first connection occurs during:
User login.
Mashable registration.
Direct invocation in mashups.
The Certificate Store
You can use a single certificate store as both the key store and trust store for Presto or you can use separate certificate stores. You can use an existing certificate store for Presto, such as the default certificate store shipped with some application servers. Or you can create a new certificate store using the Java keytool utility.
See Java keytool documentation for more information, commands and instructions on managing key certificate pairs, trusted certificates and certificate stores.
Configure Mutual SSL Between Users and Presto
The Mashup Server and users both exchange certificates. Presto can also be configured to use user digital certificates for authentication. The connection requires:
Store and Certificates:
A certificate store as key store and trust store for the Mashup Server.
A key certificate pair for the Mashup Server.
Public certificates in the trust store for any user certificates that are self-signed.
You must add self-signed certificates to the trust store before these users login. See Trusted Peer Cerficates for more information.
See The Certificate Store and Certificates for more information.
Configuration in the application server hosting Presto to use the HTTPS port. This also includes configuration identifying the key store and trust store for the Mashup Server. See Configure HTTPS and Certficate Stores in the Application Server for instructions.
Optional configuration in Presto to use digital certificates for user authentication. See Configuring Presto Authentication with Digital Certificates for instructions.
Configure Mutual SSL Between Presto and Mashable Information Sources
Both the information source and Presto exchange certificates.
 | For mashups, you must use the <invoke> statement to connect to information sources that require mutual SSL. The <directinvoke> statement in EMML only supports one-way SSL connections. |
This scenario uses the SSL security profile that is provided in Presto. It requires:
Store and Certificates:
A certificate store as key store and trust store for the Mashup Server.
A key certificate pair for the Mashup Server.
Public certificates in the trust store for any information sources that have self-signed certificates.
You must add self-signed certificates to the trust store before the mashable information source can be registered. See Trusted Peer Cerficates for more information.
See The Certificate Store and Certificates for instructions.
Configuration in Presto for both the key store and trust store. See Configure Certificate Stores in Presto for instructions.
Security Profile configuration for each mashable information source. You provide this configuration when you register the mashable. See Mashable Authentication with Security Profiles for more information.
One-Way SSL to Presto
This requires:
A key store and a key certificate pair for Presto. See The Certificate Store and Certificates for more information.
Configuration in your application server for the HTTPS port to Presto and the key store. See Configure HTTPS and Certficate Stores in the Application Server for instructions.
One-Way SSL to Mashable Information Sources
This requires:
A trust store for Presto. See The Certificate Store and Certificates for more information.
Configuration for the trust store in either:
The application server hosting the Mashup Server. See Configure HTTPS and Certficate Stores in the Application Server for instructions.
Java. See Update SSL Configuration for Java for instructions.
Self-signed certificates, if any, for mashable information source using one-way SSL. You must add these certificates to the trust store before the mashable information source can be registered. See Trusted Peer Cerficates for more information.
One-Way SSL to Information Sources Using <directinvoke> in Mashups
This requires:
A trust store for Presto. See The Certificate Store and Certificates for more information.
Configuration for the trust store in Java. See Update SSL Configuration for Java for instructions.
EMML uses the certificate stores defined in Java.
Self-signed certificates, if any, for the information source using one-way SSL. You must add these certificates to the trust store before the mashup invokes these information sources. See Trusted Peer Cerficates for more information.