Monday, November 5, 2012

How to invoke secured backend service using WSO2 ESB

Please visit new my blog for this blog post from here





WSO2 ESB can be used for implementing various security patterns in your SOA. It supports message level security with WS-Security specification. In this blog post, we are going to use WSO2 ESB to invoke a secured BE service. 

Client ------------------->  WSO2 ESB -------------------> BE service. 

Lets assume BE service is secured with WS-Security policy.  

Policy contains both signature and encryption  and client needs to provide X509 certificate for authentication. It mean WSO2 ESB proxy service must be authenticated to the BE service.   Therefore security policy provides the authentication Integrity and Confidentiality. 

Here is WSDL of the BE service. It is just a simple echo service. 

Lets go through step by step

Step1 : We need to create matching policy for WSO2 ESB side to invoke the BE service. We can just copy the policy from WSDL for this. It would be some thing like this

Step2 : To do the encryption and signing, we need to define the certificates that contains private key and public key for this.  This is done through a configuration. 

WSO2 ESB uses Apache rampart as the WS-Security implementation. Rampart has, it own way to define the key store and key data using configuration called "rampart configuration". We can add this rampart configuration, in to the Security Policy as an assertion.  Please find more details about rampart configurations from here

Lets add rampart configuration. 

To sign and encryption,  we need to specify following....    

1. Signature and Encryption  crypto. as we are using keystores,   i.e  keystore details.   Such as keystore file, password, type and so on. 

We can define them as follows ...
  

                        
                            JKS
                            /home/asela/Security/resources/keys/client.jks
                            apache
                        
                    
                    
                        
                            JKS
                            /home/asela/Security/resources/keys/client.jks
                            apache
                        
                    

2  Private key (certificate) that is going to sign the message 

This the certificate alias name of private key of the client.jks file
client
3. Public key (certificate) that is going to encrypt the message

This is the certificate alias name of the public certificate of the BE service. That is also contains in my client.jks file.
service
4. Private key password 

We can not define private key password in rampart configuration,  we need to provide it through password class back implementation. Therefore here i am defining the class name of the password call back implementation 
org.wso2.samples.pwcb.PWCBHandler
Now we are done with policy,  it would be as this


Step3 : Lets create a password call back class to inject private key password.  You can get help from this blog post. 

Step4 : Upload our policy to the WSO2 ESB. Here we are uploading created policy file as a resource in the WSO2 ESB's registry. 

1.  Login to WSO2 ESB management console and Go to  "Registry Browser" 



2. Add new registry collection  (folder) in preferred location. I have selected governance collection for this  



3. Upload policy from file system as a resource. 



Step5 : Create  ESB end point for BE service with security

1. Go to  Endpoint configuration UI in Management console 



2. Create new address end point with your BE service configuration and then select advance options. 



3. Select WS-Security option under the QoS in advance options



4. Select Governance registry collection to local the uploaded policy 



5. Finish the endpoint creation 


Step6 :  Create sample proxy service with our secured endpoint.

There are different ways to create proxy service according to your preferences. Here i am creating simple pass through proxy 

1. Create proxy service by defining the endpoint created above



2. You can see synapse configuration as following in proxy and endpoint configurations  



Now we are done...!!!  You can invoke the proxy service with non-secured client. 

Previous 

Secured Client ------------------------------------------------>  Secured BE service 

Now with WSO2ESB

Non Secured Client 
(Endpoint is changed to proxy enpoint) ---------> WSO2ESB  -------------> Secured BE service 





1 comment:

  1. Hi My back end service is running on HTTPS protocol. When i add this service as an endpoint it gives me

    ERROR - ProxyServiceAdminClient Couldn't create endpoint from the given WSDL URI : java.security.cert.Certificat
    eException: No name matching localhost found
    org.wso2.carbon.proxyadmin.stub.ProxyServiceAdminProxyAdminException: Couldn't create endpoint from the given WSDL URI : java.security.cer
    t.CertificateException: No name matching localhost found

    ReplyDelete