This is my second blog post about enabling mutual SSL for ESB proxy services. In my previous blog post, we enabled mutual SSL for all deployed proxy services. But in this blog post, we are going to enable it for only selected proxy services. Let assume we have proxy service call "TestProxy" and also there are many other proxy services that have been deployed in WSO2ESB. We want to enable mutual SSL for "TestProxy" only. Let see how we can do it. Here we are using transport binding in WS-Security.
I assume that you have gone through my previous blog post, therefore i am not going to much details in some configurations
Step 1 : Configure "SSLVerifyClient" property to optional in NIO transport receiver and Restart the server.
Step 2. Secure TestProxy using security scenario 1 (Username Token authentication)
Step 3. Modify applied policy in to this policy using policy editor. Here we have remove the user name token validation and forced the client certificated.
Step 4. Apply these patched jars to WSO2ESB 4.0.3 distribution. Copy and Replace in to <ESB_HOME>/repository/components/plugins. Actually we have done small modification to bring the client certificate in to rampart level and validate it at that level
Step 5. Step you key stores and trust stores as described in my previous post
Step 6. Invoke the "TestProxy" using sample client which can be found at here.
If you have not used a key store or your certificate does not contain in the NIO transport receiver's trust store file; you would probably experience following error.
[2012-08-08 18:02:47,879] ERROR - AxisEngine Service requires SSL mutual authentication
org.apache.axis2.AxisFault: Service requires SSL mutual authentication
at org.apache.rampart.handler. RampartReceiver. setFaultCodeAndThrowAxisFault( RampartReceiver.java:180)
at org.apache.rampart.handler. RampartReceiver.invoke( RampartReceiver.java:99)
at org.apache.axis2.engine.Phase. invokeHandler(Phase.java:340)
Step 4, where can I get the patched jars? https://svn.wso2.org/repos/wso2/people/asela/xacml-samples/clients/mutual_auth/AdvanceMutualAuthenticationClient/resource/lib/
ReplyDeleteseems to be empty.
Excellent blog you’ve got here.It’s difficult to find high-quality writing like yours nowadays. I really appreciate individuals like you! Take care!! Please check out my site.
ReplyDeleteunblock web proxy