quinta-feira, 24 de julho de 2014

webMethods Creating a business process with a task for approval Part 1 expose a web service for a Purchase Order

This is a tutorial on how to create a simple process in webMethods BPM editor. The process will be triggered using the IS as the backend which will publish a document with some new purchase order information.

1. Create a new package: Demo_POApprovalProcess




2. Add the following folder structure including the root folder with the name of the package to avoid namespace conflits.


3. Create a PurchaseOrder document under the folder docs. This is done using the microsft sample available at http://msdn.microsoft.com/en-us/library/bb387012.aspx



4. Set the document as publishable and push it to the broker to synch.


5. Create a service definition (under services) to publish the document to the broker. This service has just the PurchaseOrder document as an input and the a result string for sucess/error feedback. The document is the input of the publish wM service.


6. Now that the service is created the only thing missing is generating the WSDL. We will need to create an alias, but first lets generate a keystore and a key for enhanced security (I really don't like when security is set a side even for tutorial purposes).

  • To generate a keystore java provides the keytool available in any jdk and this includes the one wM uses. Just run the following command and it will generate a keystore with one key included.

C:\SoftwareAG\jvm\jvm170_64\bin>keytool -keystore demokeystore -genkey -alias demoks



You will be prompted for organizational details this would be useful to generate a CA for tutorial purpose this info can be inserted randomly. This will generate a keystore on the bin folder with the name demokeystore.

7. Now that the keystore has been generated we can had it to the Integration Server. Navigate to Security > Keystore > Create Keystore Alias. Insert the password chosen that was used to generate the keystore.

8. Generate a Web Service Provider Endpoint. Navigate to Settings > Web Services and create a new server alias for HTTP. In this case it was named wMlocalhost. Use the ip of the machine you have where the IS is running and a valid port. Include the previous created keystore and key in the WS definitions. The other fields can be left with default definitions.


9. The WSDL can now be generated in the Designer. Just choose the previously created End Point alias, the other setting can be left with default values.



 10. We will test the call of the web service using SOAP UI. Create a new project and had the WSDL address to initial WSDL.



11. Test the WS call using the following SOAP message. Use an account with sufficient privileges for the HTTP authentication security. The expected result is displayed bellow.










quarta-feira, 23 de julho de 2014

SFG PGP/GPG File Security Step-By-Step (includes layer creation for SFG)

PGP is a security technology that encrypts the files before being transferred through the web. This provides an extra layer of safety even if the files is captured it will still be unreadable without decryption. The producer partner has a private and public key, the public key is provided to consumer partner that uses it to decipher the files.


1. To use PGP with SFG it requires the deployment of local PGP server solution. The open source solution being used is the GPG4Win available at http://gpg4win.org/download.html


2. Install the file using the executable downloaded previously, make sure that Kleopatra and GpgEX are deployed.

3. To use GPG it will require the creation of an extra layer as it is not supported by SFG natively (the supported native solutions are displayed in yellow). Before deploying the new layer to Sterling let’s make sure everything is working on GPG side, once that is complete we can build a BP to test the GPG functionality within SFG and finally deploy the layer and create a Routing Channel to test its functionality. We will only explore the common GPG signing capabilities (that ensure the file was modified by a user) and encryption (that actually obscures the file content). Further can be achieved like compression or more advanced encryption.

4. To get started with GPG first we need to have a certificate deployed in Kleopatra, for this purpose we will generate a self signed OpenPGP certificate. You can leave Advanced settings with default values (it includes encryption and signing options already). On the last step when prompted for a Passphrase we will be using passphrase this is required for each encryption/decryption and other operations.



5. To test the encryption of a file (which will be associated with a consumer at SFG deploy time) we have created a test folder under the c drive and a simple txt test file. The first objective is to encrypt and sign the document and store in the same folder. We have run the following command:

  • echo passphrase|gpg --armor --recipient TestCertificate --batch --yes --passphrase-fd 0 --encrypt --sign test.txt
  • We test GPG4Win is well installed by just running gpg on the cmd
  • After running the command making a dir over the directory and we can find a test.txt.asc file



Test.txt.asc file content:
-----BEGIN PGP MESSAGE-----
Version: GnuPG v2.0.22 (MingW32)

hQEMAwPWle2/P5FNAQgAlSc4OoGNVm0nf7kjgNIxd4ElDzopIvLxrPuh8jXcJYrM
UpaCa119QA0mWpWZ66qv/NXLdvpzsCSktQCBAOWpD/LyAPQ6Cr9ae+EsxGYETJfQ
vNUoV7vOo591qxbHgQ9wpEnSQx8oeTuEXNBxGeyt4QZcGde+VOwQ/T09ou9TGH6d
Op4fCme1VIN6FuIAaKGd/jNbuT0banxFE0iWau6hoBy5urEQWRVexgcTOVcBl5fq
CWY4y6rTFA10YXQRFWXVXZvYgzGiNZpjkMk0qWUgx9QAzkhbrv9dKtXg3+FEeqac
ytbQaiedc9XPaPC7vMh3mw9OK9YdoEa7MRwndON/qdLAzAERNquESfx55E/sDh4Z
RACB7Wwf5wnmKaDwnehdhBeWJVgixpUsDxL5L29P3vUGA/YR4FmgXhRBnqp5oGuw
mSH2r3rjgzCcSiWifZafV2PjnWHmEOAO0y+CrmwYE7DyMPbefF9QsjZ1DRa+r3zr
azEviGMm9MDumpV0bf9l0k7s8lFfGw6n2sqrQAFetX9reUkE21omM75nfUQchqC4
vllYXjOCE2qEjRC7NTgTty1kpITwqg/h5z9ZKIZL37+hD85FmpGD0lyHCfOV94NF
li7bsWt9myBEyQWlJPzJ1bsARX7t13coLtoTy7Oj8fSvHD35NGqLiFZLnOExByxy
Le5M0Fs/IfvlHLUdjEacoS4ZjEDgUSsisoGqkREqU+wkEEkpHWSJjTrS2zK9R1s5
XjQG8tApEDhPS0hacf2PxVBLgpQKVhgBTbDLgBaa74weZyUaDuDvjmA7Pl7T5kUH
k5TTxHSuTZEGstlPElVzSYHTVXXF801F2KSnU0X/sWVMfimQvHuNmHAPKHrzsA==
=2K2+
-----END PGP MESSAGE-----


6. Having concluded the encryption phase we can now advance to the actual deployment on the integrator. As a first step lets create a Business Process that achieves the same result but replaces the primary document that is inserted as a non-encrypted file into its encrypted version.

  • In order to run the command line as Administrator we need to change the service to be set to run as Administrator instead of system to do so open the IBM Sterling B2B Integrator CmdLine2Adapter at port xxxxx

  • Change the Lon On to Administrator, note that this account must be the same that creates the keys for GPG, and at the same time should have admin permissions.

  • Create a folder under c drive c:\gpg -> this will be the working directory for the gpg scripting
  • Create a GPGEncryptSign.bat (under the folder c:\gpg) with the following content (passphrase is the value of your key passphrase, it should be replaced along with certificate name):

echo passphrase|gpg --armor --output %2 --recipient TestCertificate --batch --yes --passphrase-fd 0 --encrypt --sign %1
  • Finally under Sterling create a BP with the any name (eg: GPG_Test) and with the following definition



  • Note: cmdLine we pass the Input that is the name of PrimaryDocument that CL Adapter temporarily stores in the system, Output will bring the CL stdout to ProcessData; outputName will be the name of the document in the ProcessData same as input but with .gpg extension; finally we replace the PrimaryDocument with the newly generated document.

  • With this we will have a BP to add as a layer on SFG, we receive a non-encrypted file from producer and encrypt it before we continue the routing

  • Next step is to make this BP generic so we can set the .bat file and working directory dynamically at RCT creation time.

7. Before extending the BP we should first create a service that will hold the obscured passwords of the PGP keys.
1.       
8. Use the updated BP that contemplates the newly created obscure service.



  • Also update the .bat file to receive the password dynamically
echo %3|gpg --armor --output %2 --recipient TestCertificate --batch --yes --passphrase-fd 0 --encrypt --sign %1



9. Finally we can start work in the layer API definition. There are 2 fields to be defined:

a. GPG Batch Full Path: The path to the GPG .bat file you should be able to use a different one for each GPG routing channel template

b. GPG Working Directory: The working directory not really that relevant unless the script contains any code to use the dir where it is located, Sterling can use any working dir and repeat it for many scripts.

  • You can set the value to be displayed in the drop down menu by specifying the value DisplayLabel in FgProducerFileLayerType tag. 
  • The layer deployment must be performed with extreme caution any error on the configuration, e.g. a repeated ProducerFileLayerParameterTypeKey will generate an error in the database and the deletion of the residues must be performed manually 
  • You can delete a layer, if deployed successfully by using a command like this (applies for the layers bellow):