Monday, September 24, 2012

PSOFT : Third Party Integration using HTTPS Client Certificate Installation


A.   Define the third party external node

  1. Navigate to Peopletools > Integration Broker > Integartion Setup >Nodes
  2. Add New Node, Enter node name and click ADD
  3. Enter the required information
    - Description
    - Node Type: EXTERNAL
    - Default User ID: (see definition at end of document)
    - External User ID and External User Password if required by 3rd party
          For Example:


      4. Go to the Connector Page:
          Enter the Connector ID: HTTPTARGET
          Enter the Primary URL: in this case it utilizes HTTPS
          For example: 


If you ping the node at this point, you will get an error message –

Integration Gateway - External System Contact Error (158,10721). In the ErrorLog.html you may see the error: “HttpTargetConnector:ExternalSystemContactException unknown certificate”

This is due to the fact that you have not imported the digital certificate from the 3rd party external site.

B. Installing Digital Root Certificate from 3rd party

1. You need to obtain the Root Certificate and copy it to a file. To do this, first take the primary 
    URL specified on the Connector page of the external node definition.  Copy it and paste into 
    a browser URL address line. 

2. Depending on the browser version you will see a padlock icon either to the right of the 
    address line or in the lower right corner of the browser.  Click on the Padlock to view the 
    certificate.  

3.
Click on the Certificate Path tab and highlight to top node. 

4. Click on the Details Tab

5. Click on ‘Copy to File’ button and it will pop up a certificate export wizard. Click ‘Next’ button 

6. Select 2nd option ‘Base-64 encoded X.509(.CER)’ and click ‘Next’

7. Browse the folder and file name(I named it as rootca.cer) to which you want to export

8. Click ‘Next’ and you will see the Export completion window.
           
9. Click ‘Finish’

     You should get msg box saying : The export was successful

(When you download certificates please download all chained certificates which you will see in 3rd tab "Certification Path" where you see tree view structure of sites.
You need to click on every site, click view certificates and then do copy to file again in base64. So that you download and apply certificates for all sites & sub-sites)


10.Copy the c:\temp\ps\rootca.cer to <PS_HOME>\webserv\<Domain> on web server box

11.Open command prompt on the web server box and cd to <PS_HOME>\webserv\<Domain>
      Type ‘pskeymanager –import’

12.It will prompt you for the password; type password as ‘password’ (it’s default, if you want to  
      change it, you can type something you can remember)

13.It will prompt you for Alias

14.Enter a significant aliasname (Make sure it will not be existing in your keystore) and in the    
      next step enter the rootca file name ‘rootca.cer’ which you have copied to a file from the 
      certificate sent by certificate provider and then click ‘Enter’

15. If you get message saying that certificate already exists with different alias name then there is no harm in applying it or leaving it.

16.You will see the ‘Trust this Certificate’ prompt as shown below; type ‘yes’

17.It will complete the process and you will see ‘Certificate was added to keystore’
         
B. Edit the integrationgateway.properties file

1. Edit integrationGateway.properties file.

    Peopletools>Integration Broker>Configuration>Gateways and choose the gateway.  
    Once there click on the Gateway Setup Properties link, enter the userid and password,
    Click OK.
    Now, click on the Advanced Properties Page and locate the following code and
    enter the path to pskey (<PS_HOME>\webserv\<Domain> /keystore/pskey) and
    the password. 
    (depending upon tools version encrypt the password or leave it as it is)

    Uncomment following parameters and make sure they are correct. 

    secureFileKeystorePath=<path to pskey>
    secureFileKeystorePasswd=password

2. Reboot the webserver and Ping the Node to test
    Go back to the external node definition and PING the node.  You should get a SUCCESS!

3. If you are getting any error then please check:
> Whether the PRIMARY URL link from node's connector tab is working.
> you are able to ping that url or ip from that server ( if applicable )
> for further troubleshooting check IB error log as :
   If your gateway url is http://server1:8000/PSIGW/PeopleSoftConnector
   then check error log at 
   http://server1:8000/PSIGW/errorLog.html


Notes :
Definition for Default User ID:
On inbound integrations, this is the user ID that the sender must specify to invoke a service operation, unless you have set up an external user ID for this purpose.
On outbound integrations, this is the default user ID sent with the service operation.

keytool Commands
To see all ssl certs:
keytool -list -keystore /home/njdev/webserv/njdev/piaconfig/keystore/pskey
or
pskeymanager -list

To Delete ssl cert alias:
keytool -delete -alias 'gldmnkey1' -keystore /home/njdev/webserv/njdev/piaconfig/keystore/pskey

For Help:
pskeymanager -help
keytool -help

4 comments:

  1. Hi im sanjay peoplesoft consultant. I just browsing blogs there I found your blog is interesting.. thank for posting… keep on posting peoplesoft-techical

    ReplyDelete
  2. Hi Niraj, nice post...

    ReplyDelete
  3. Found it very useful...

    I did this activity in PT 8.53 and only change to the instruction is,

    Step 10 & 11 should use path
    \webserv\\piabin\

    ReplyDelete