Introduction #
In this chapter we will set up SSL certificates to be able to communicate to and from Agent securely through SSL protocol. We will see the procedure to setup SSL certificate of Agent and other peripherals.
How to buy an SSL server certificate from a vendor for example DigiCert. We need to buy a certificate so that we can use SSL for the communication from Salesforce to the agent meaning that we make the callout from the Salesforce (client) to the agent (server).
Setup Agent SSL Certificate #
Prerequisites
1. Agent deployable package should be available and the contents are supposed to extract to a directory.
2. A valid SSL certificate with a private key is available.
Procedure
1. Go to the extracted directory I.e. Skyvva-Agent-Deployment-Pack.
2. Use the existing SSL certificate and private key to generate a PKCS12 key store by executing the following command.
./openssl/openssl pkcs12 -export -in <agent-ssl-cert>.pem -inkey <agent-sslkey>.pem-name <agent-domain-name> > agent-ssl.p12
3. Once we have the agent-ssl.p12 file created, we’re good to start the Agent and it will use the currently created SSL keystore.
Import Peripheral System Certificates #
- The following procedure describes the way to trust the certificates used by the peripheral systems which we want to integrate with Agent.
- Normally all the standard CA certificates are already present in the Trust Store file used by the JDK( which is embedded inside the Agent Deployable Package), but in rare scenarios where its not available we can import it as a trusted certificate.
Procedure
1. Go to the Agent Deployable directory, created by extracting the deployable package file.
2. Use the command described below to import the certificate file as a trusted certificate.
./zulu14/bin/keytool -importcert -alias <certificate-alias-name> -file path_to_certificate_file -keystore ./zulu14/lib/security/cacerts -storepass changeit -trustcacerts
Approach #
- The user/Admin has bought a valid SSL certificate from the trusted vendors of Salesforce.
– Outbound Messaging SSL CA Certificates - The user/Admin has got the deployment package and transferred it to the deployment server.
Salesforce to Agent #
In this scenario where Salesforce (client) calls the agent (server), we don’t need to import any root certificate of the certificate issue because it is already trusted by Salesforce.
Procedure to create the CSR using OpenSSL #
- In order to request an SSL Certificate we need to create CSR and the private key file. This can be done very easily by using the OpenSSL utility. Use the following command and we will have both files created in a single shot.
winpty openssl req -newkey rsa:2048 -keyout agent.skyvva.com.key -out agent.skyvva.com.csr
- The above command will prompt for the PEM pass phrase. Please type “changeit” and hit enter, then again confirm the same passphrase.
- Post that it will start the creation of the CSR and for that, it will ask the details. They provide the following details.
- Country: XYZ
- State: 123
- Locality: Sample
- Organization Name: ABC
- OU: example Agent
- Common Name: example.sample.com
- Email Address: exampleEmail.com
4. Then provide the challenge phrase as “changeit”. It will generate 2 files i.e. a Private key file and another CSR file. We will then use the CSR to get the certificate issued by a CA.
Creation of PFX/P12 Certificate Keystore for Agent #
Once we have submitted the CSR to the CA, it will sign the CSR and will deliver generally 2 files back to us. One file will be the Certificate with an extension of .crt or .cer etc and another file will be the Certificate Chain.
We will have to use these 2 files and the Key file generated in the previous step to create the PFX/P12 Keystore file. This file can then be used to configure the Agent with the Certificate.
Once you have transferred the ZIP file delivered by the CA, it should look as shown in the screenshot below.
Common Name: example.sample.com
winpty openssl rsa -in agent.skyvva.com.key -out agent-decrypted.skyvva.com.key
After the successful execution of the above command, we will do something like this as shown below. Please note that we have a new file with the name “agent-decrypted.skyvva.com.key”
Now we have to use another command to generate the SSL certificate keystore file.
winpty openssl pkcs12 -export -out agent.skyvva.com.p12 -inkey agent-decrypted.skyvva.com.key -in agent_skyvva_com.crt -certfile agent_skyvva_com.ca-bundle
DO NOT PROVIDE ANY EXPORT PASSWORD and Hit Enter twice
The above command will generate the keystore file which will then be used to setup the SSL configuration in Agent.
Approach #
Agent to Salesforce #
In this section, we will see how to trust a Root CA certificate so that we can connect to any system like Salesforce, Kafka, SAP, etc. using SSL through SKYVVA Agent middleware.
In this case, the agent is the client and Salesforce is the server. The server has to prove its identity and therefore send its SSL server certificate to the agent while the SSL handshake phase.
The agent has to verify the server identity by using the root CA certificate who has issue the SSL certificate of Salesforce. This is the CA Digicert and we can easily see it in the browser. Call https://salesforce.com and click on the key icon.
Setup SSL for Outbound Flow #
Normally all the standard CA certificates are already present in the Trust Store file used by the JDK(which is embedded inside the Agent Deployable Package), but in rare scenarios where it’s not available, we can import it as a trusted certificate.
1. Open the command prompt.
2. Go to the Agent deployment directory using the command below.
cd C:\skyvva-agent\zulu14\bin\
3. Use the command described below to import the certificate file as a trusted certificate.
keytool.exe -importcert -alias certificate-alias-name -file path_to_certificate_file -keystore C:\skyvvaagent\zulu14\lib\security\cacerts -storepass changeit -trustcacerts
Make sure that you replace the highlighted parts with the actual values before executing the above command. Once done, restart the Agent Instance.
Procedure to Download an SSL certificate #
Google Chrome #
Export the SSL certificate of a website using Google Chrome:
1.Click the Secure button (a padlock) in an address bar.
2. Click the Certificate(Valid).
3. Go to the Certification Path tab