Enable Mutual SSL for Proxy services in WSO2ESB - II

This is my second blog post about enabling mutual SSL for ESB  proxy services. In my previous blog post,  we enabled mutual SSL for all deployed proxy services. But in this blog post,  we are going  to enable it for only selected proxy services. Let assume we have proxy service call "TestProxy" and also there are many other proxy services that have been deployed in WSO2ESB.  We want to enable mutual SSL for "TestProxy" only. Let see how we can do it. Here we are using transport binding in WS-Security. 

I assume that you have gone through my previous blog post,  therefore i am not going to much details  in some configurations

Step 1 : Configure  "SSLVerifyClient" property to optional in NIO transport receiver and Restart the server. 

Step 2. Secure TestProxy using security scenario 1 (Username Token authentication) 

Step 3. Modify applied policy in to this policy using policy editor.  Here we have remove the user name token validation and forced the client certificated.

Step 4. Apply these patched jars to WSO2ESB 4.0.3 distribution. Copy and Replace in to <ESB_HOME>/repository/components/plugins.  Actually we have done small modification  to bring the client certificate in to rampart level and validate it at that level 

 

Step 5. Step you key stores and trust stores as described in my previous post

Step 6. Invoke the "TestProxy" using sample client which can be found at here. 

If you have not used  a key store or your certificate does not contain in the NIO transport receiver's trust store file; you would probably experience following error.

 

[2012-08-08 18:02:47,879] ERROR - AxisEngine Service requires SSL mutual authentication

org.apache.axis2.AxisFault: Service requires SSL mutual authentication

at org.apache.rampart.handler.RampartReceiver.setFaultCodeAndThrowAxisFault(RampartReceiver.java:180)

at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:99)

at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)