How to authenticate with web service using JWT

[PFCCWA]

Hello,
We have been working on setting up a web service object in IRD to use SOAP parameters over a https connection.
In addition we want to use TLS.
I have defined what we need to complete and expect from the web service such as these options below.
What the web service administrators are asking is that we authenticate using JSON Web Token (jwt). It works something like the web service API would provide a token that Genesys URS would use as a bearer token to access the resource APIs.

Does anyone know if this is possible using the IRD web service object - and if so how?

I thought we can use 2 way or mutual authentication using security certificates and client username/password credentials but it may be dictated by the web service and we have to use it.

General Section:
-Web Service ULR (location)
-Method Name
-Method Namespace
SOAPaction
Request Parameters

Security Section - Authentication
Authentication method
-Username
-password

Security Section ? TLS
-Certificate
-Certificate key
-Trusted CA

Result Section
-Response from output

URS 8.1.3
IRD 8.1.4

thanks

[cavagnaro]

IRD is actually quite behind in these matters.
You better go with Composer and ORS so you can modify and use it as desired.
IRD won't support those methods.
Composer probably won't natively but you can develop a Net or JSP application to do it.


Enviado de meu SM-N9600 usando o Tapatalk

[jamesmurphyau]

100% agree.. URS can't even do SNI which is extremely disappointing

You can use JavaScript in IRD and URS though - but you basically have to write all the code yourself.. from looking up how JWT works, it looks like it would mean you would have to code a whole heap of decryption and signing type logic (this is the site I used to work out basics of JWT: https://developer.box.com/guides/authentication/jwt/without-sdk/ .. never used it myself)

[PFCCWA]

We have found a way to possibly use the http request function of the existing IRD web service object (and use the message text box to supply soap related parameters -  as well the http headers in the relevant section).

What i wanted to check is whether there was a way to proceed with the web service request without a certificate of authority?  We have been supplied with self signed certificate and certificate key (unix) however when i test the request it fails with http log message:
[i]
Secure connection error, SC(9): CA certificate is not specified[/i]

I have tried to use a default value of 'certificate authority' but this doesnt work either so wondered if it was mandatory and requires a valid path to a CA certificate.  The customer provided certificate generation tool only produced a certificate and certificate key and advised this is enough and other solutions were able to work without the CA.

thanks.

[terry]

May be just check with Genesys are selfsigned certificates are supported by Genesys security layer and haw.

[cavagnaro]

Guess you need to register that custom CA as trusted root at your OS. If Windows, import on Windows trusted certs CA authorities.
If linux (Java) import via cert tool

[PFCCWA]

[quote author=cavagnaro link=topic=11867.msg53490#msg53490 date=1603898131]
Guess you need to register that custom CA as trusted root at your OS. If Windows, import on Windows trusted certs CA authorities.
If linux (Java) import via cert tool
[/quote]

Hi Cav,

thanks for this.
The web service provider has sent us a CA but i still see this error (looks to be related to it being self signed that was mentioned in an earlier response).
[i]Secure connection error, Error certificate chain verification
@10:50:06.1493 SC(9): OpenSSL reported errors:
@10:50:06.1494 error:1414C086:SSL routines:ssl_build_cert_chain:certificate verify failed
@10:50:06.1494 Additional data: Verify error:self signed certificate[/i]

Is there a further process that needs to be completed on the genesys/OS side (Unix) for it to be valid or work?

[cavagnaro]

This is an OS issue not Genesys. I have no clue what have you done with that CA root certificate. Can you elaborate?

Enviado de meu SM-N9600 usando o Tapatalk

[hsujdik]

Check if this helps - From the URS Deployment Guide, page 59:

To support HTTPS Web Service connections using HTTP Bridge, the following information need to be specified: Certificate, Certificate Key and Trusted CA.

If the URL that is passed from URS to HTTP Bridge starts with https://, HTTP Bridge will try to extract these attributes from the parameters of the specific Web Service Object, or if not found, then from the corresponding HTTP Bridge options: def_certificate, def_certificate_key, def_trusted_ca. These options are specified in URS's web folder (which is where all other HTTP Bridge options are specified).

HTTP Bridge reads the attributes and passes them to the connection library. The connection library is responsible for providing secure communications.

On Windows, only the Certificate attribute needs to be specified; on UNIX, all three are required for proper operation.

Below are some examples of values for these attributes.

- Windows:Certificate: 21 32 33 63 74 95 ... 01
- UNIX:
  - Certificate: /home/gcti/.security/certificate.pem
  - CertificateKey: /home/gcti/.security/certificate-key.pem
  - TrustedCA: /home/gcti/.security/ca.pem

For more information about how to use certificates (such as how to create and deploy them), refer to the Genesys 8.1 Security Deployment Guide