Wednesday, August 8, 2012

Enable Mutual SSL for Proxy services in WSO2ESB - I

Please visit new my blog for this blog post from here




Lets see how we can enable mutual SSL (two-way SSL) for all the proxy services that are deployed in WSO2 ESB

Step 1 :  Enable mutual SSL for NIO transport receiver


WSO2 ESB uses NIO transport for sending and receiving messages.  You can find NIO transport  receiver and sender configuration  from axis2.xml file which can be found at <ESB_HOME>/repository/conf directory. Under the transport receiver,  there are key store and trust store configurations as follows.  

By default 
1. mutual authentication is not enabled
2. for keystore and trust store,  WSO2ESB is using the default wso2carbon.jks and client-truststore.jks file

Therefore you need to change those default parameters. Here i have changed only the "SSLVerifyClient" parameter to "require" to enable mutual authentication for all services that has been exposed via NIO

    <transportReceiver name="https" class="org.apache.synapse.



transport.nhttp.

HttpCoreNIOSSLListener">
        <parameter name="port" locked="false">8243</
parameter>
        <parameter name="non-blocking" locked="false">true</
parameter>
        <parameter name="keystore" locked="false">
            <KeyStore>
                <Location>repository/
resources/security/wso2carbon.


jks</Location>
                <Type>JKS</Type>
                <Password>wso2carbon</
Password>
                <KeyPassword>wso2carbon</
KeyPassword>
            </KeyStore>
        </parameter>
        <parameter name="truststore" locked="false">
            <TrustStore>
                <Location>repository/
resources/security/client-


truststore.jks</Location>
                <Type>JKS</Type>
                <Password>wso2carbon</
Password>
            </TrustStore>
        </parameter>
          <parameter name="SSLVerifyClient">
require</parameter>
    </transportReceiver>


After configuration is finished, Restart WSO2ESB server, if you have already started. Then just create a simple pass through proxy service call "TestProxy". 



Step 2 :  Writing Axis2 client to invoke  

You can find the client program for here. To run the client program you need to setup your key store and trust store properly.  Actually we can use same key store file as both key store (which contains private key) and trust store (which contains trusted certificates)

First we need to import the NIO transport receiver's certificate to client's trust store file

Please export NIO transport receiver's 
certificate from key store.  As a sample, you can use keytool command as follows.

> keytool -export -keystore wso2carbon.jks -alias localhost -file wso2.crt

Please import NIO certificate in to client trust store.

> keytool -import -keystore client.jks -alias wso2carbon -file wso2.crt

Now you have setup the SSL properly. If this is not properly done,  when you tries with sample client, you would receive following error in client side.
 


org.apache.axis2.AxisFault: Connection has been shutdown: javax.net.ssl.
SSLHandshakeException: sun.security.validator.


ValidatorException: PKIX path building failed: sun.security.provider.

certpath.
SunCertPathBuilderException: unable to find valid certification path to requested target
at org.apache.axis2.AxisFault.
makeFault(AxisFault.java:430)  

Then we need to import client's certificate in to the NIO transport receiver's trust store file. Please go through above keytool command for this also
Now you have setup the SSL properly.  If not, when you tries with sample client, you would receive following error in client side.

Exception in thread "main" org.apache.axis2.AxisFault: Connection has been shutdown: javax.net.ssl.SSLException: java.net.SocketException: Connection reset
at org.apache.axis2.AxisFault.
makeFault(AxisFault.java:430)
at org.apache.axis2.transport.
http.SOAPMessageFormatter.


writeTo(SOAPMessageFormatter.

java:78)

And in server side.

[2012-08-08 17:29:56,390] ERROR - ServerHandler I/O error: null cert chain
javax.net.ssl.
SSLHandshakeException: null cert chain
at com.sun.net.ssl.internal.ssl.
Handshaker.checkThrown(


Handshaker.java:1015)

Now you know how to secure  WSO2ESB  proxy  services using mutual SSL and invoke them.  In my next blog post let see,  how we can secure only the one or two WSO2ESB  proxy  services using mutual SSL(Not all)
   

5 comments:

  1. my webservice is getting this error whilw i am invoke from android app side


    [2012-08-08 17:29:56,390] ERROR - ServerHandler I/O error: null cert chain
    javax.net.ssl.
    SSLHandshakeException: null cert chain
    at com.sun.net.ssl.internal.ssl.
    Handshaker.checkThrown(

    ReplyDelete
  2. have u posted any rule mediator blogs please send me urls if u otherwise suggest me any website
    thanks in advance
    saisal shaik
    youtility mumbai

    ReplyDelete
  3. Nice blog and I got a awesome link which is special for access any blocked site you can use this link without any long way just one click and must be see
    Instagram uk proxy

    ReplyDelete
  4. Hay Dear, Do you find to web proxy free,proxy web free,unblock web proxy,secure proxy,unblock website proxy. I suggest you to visit this site. There are a lot of web proxy . For details: unblock web proxy

    ReplyDelete
  5. Thanks for the post!

    ReplyDelete