Tuesday, May 5, 2020

Pega connecting to HTTPS endpoint: One Way SSL Concept

Consider scenario where you have "Client" Pega in your local system (HTTP://localhost:9090/prweb) and you are connecting to "external Server" SOAP Service which is hosted on HTTPS endpoint. Then as we already know, we have to run the "Create SOAP Integration" wizard and provide the endpoint HTTPS URL of WSDL. For Pega instance to create all the connector rules for wizard, it should be able to read WSDL over HTTPS endpoint URL. And that is possible only when certificate (Public Key) of server is added to clien'ts trust-store.

This post covers only the basics needed to get into SSL concepts. In the upcoming posts, we would get there to advanced concepts of keystore, truststore and 2 way SSL.

Client URL: Pega Application: http://localhost:9090/prweb
Server URL: https://www.dataaccess.com/webservicesserver/NumberConversion.wso?wsdl
That means in this example, Client=localhost" and Server=www.dataaccess.com

Take a closer look at the above image and make the below observations:
- Client (Pega application URL has HTTP)
- Server (External SOAP Service WSDL URL has HTTPS)
That means security is enable at one-side. And on the other side, there is no security enabled. So the communication between these Client and Server is One-Way SSL. 

Question: What is HTTPS?
Answer:  HTTPS=HTTP+"S" // Where "S" stands for SSL
One more Question: What is SSL?
Answer: Secure Sockets Layer
  • HTTPS is securing the channel through which client and server communicates to avoid Man In The Middle Attack's.
  • Here external server (where SOAP Service is hosted) has HTTPS URL, which means they would have registered with authorities(like CA) and would have received certificate (Public Key) from authority + Private Key. Private Key is something external server wouldn't communicate with anybody. And public key would be shared with all the client's that needs to connect to it.
Step by Step Illustration:
  1. In this example, client (Pega) should receive the certificate(Public Key) of external server (where service SOAP is hosted). 
  2. And client would import that server certificate into it's trust-store post which "client would be able to make successful handshakes (SSL Handshakes) to server".
If Step#1 and Step#2 are not done, then while importing HTTPS WSDL in Pega from "Create SOAP Integration", you would receive SSLHandshakeException.

Step #1: Downloading certificate(Public Key) of external server 

- Simple way is to connect with Service team who would provide you certificate. 
- Other way of doing it is by following below steps. This would be sufficient in most of the cases (90%) with respect to our development. 
#1.1 Download the certificate from browser by following below steps:
#1.2 Navigate to any browser and hit the server's SOAP Service WSDL's HTTPS endpoint. Click on the security lock icon. And click on "Certificate (Valid)"

#1.3 Naviagate to "Details" tab. And click on "Copy to File" button.

#1.4 Then you would notice "Certificate Export Wizard". Click on "Next" to proceed.

#1.5 Select the format you want to use. In this example leaving the defaults as selected below. And click on "Next" to proceed.

#1.6 Browse to the location of your local machine to save the certificate file.
#1.7 Then, it would list the summary of the selection we made in the certificate export wizard. Review it and click on Finish. Then you would receive confirmation, Click OK. and proceed.

#1.8 With above steps we have downloaded the certificate successfully.

Step #2:  Import that server certificate into it's trust-store

Once Step #1, Step #2 are done: then you can proceed with "Create SOAP Integration" wizard to generate the connector rules.
Note: For all the public API's by default our localhost systems would allow as they have an entry in trust-store. In real-time, when service team gives you a HTTPS WSDL you would need to go through above steps to generate connector rules and to connect to external SOAP Service via HTTPS.

Happy learning.


Related Posts:


HowToPega : All rights reserved and the contents are copyrighted to Pavan Kumar Naidu