Monday, July 1, 2013

Invoking Secured ESB Proxy Service Using SOAP UI

In this post, I am showing how you can invoked a secured proxy service, using SOAP UI tool.

Here I am using WSO2 ESB 4.6 and SOAP UI 4.5.1for this example.


Step 1: Create a proxy service 


Let's create a ESB proxy service first. Here I have created a proxy service to invoke echo service that comes with WSO2 ESB.


First let's try to invoke our proxy service without security. Here I am using tryIt tool. Click "Try this service" link in the EchoProxy row in the Deployed service. Use following sample request to invoke the service.



Request and Response of the EchoProxy


Step 2: Creating SOAP UI Project and Testing service.


  • Open SOAP UI tool and Create an new soapUI Project. ( File -> New soapUI project )
  • In the new soapUI project wizard, give the our EchoProxy service's wsdl url. (ex: http://localhost:8280/services/EchoProxy?wsdl ) 
  • Give the project name as "EchoProxy". Fill other fields as necessary.
  • Then Click Ok.
  • Then try to invoke our proxy service using soapUI as well.

 

Step 3: Securing the proxy service


Let's secure our proxy service now.

  • Go to service list (see 1 in Figure 1)
  • In Service list view, click on unsecured link (see 2 in Figure 1) in the EchoProxy row to secure the proxy.

Figure 1






  • In next Window, select "yes" to enable security for EchoProxy  ( Figure 2)

Figure 2


In this example, I am going to secure proxy service using security scenario 5 - "Sign and Encrypt - X509 Authentication"

  • So select security scenario 5 under Advanced Scenarios ( Figure 3 ) and click next.


Figure 3


  • For simplicity of this post, I am going to use wso2carbon.jks as Trusted Key Stores. So in next window ( Figure 4) Select wso2carbon.jks as Trusted Key Stores and click Finish. 

Figure 4

  • Now we have secured proxy our service.
Figure 5

Note: If you try to invoke our proxy service now using tryit or soapUI tool, it will fails. In next step let's try to invoke it by adding Sign and Encrypt - X509 Authentication to the soapUI request.


Step 4: Adding Sign and Encrypt - X509 Authentication to soapUI request.


Step 4.1 - Setting up ws-security configuration to soapUI project.

  • Right Click on your soapUI project (EchoProxy) and select "Show Project view" 
  • In the opened sub window, click "ws-security configuration" tab.
  • Now let's add a KeyStore first. For Simplicity I am adding wso2carbon.jks here again. You can find it from $ESB_HOME/repository/resources/security/ . But you can use your own valid keystore here.

Step 4.2 - Adding KeyStore



  • Go to the keystores tab ( see figure 6)
  • Add a keystore by clicking the button which is shown using arrow 1 in figure 6.
  • Select key store file. (ex: $ESB_HOME/repository/resources/security/wso2carbon.jks) 
  • It asks the password of the keystore. Give it. ( for wso2carbon.jks password is wso2carbon )
  • Then fill the Default Alias and Alias password fields. I am using wso2carbon for both fields. 

Figure 6


Step 4.3 - Setting up Out going Security Configuration.


  • Go to outgoing ws-security configuration tab.
  • Click button 1 ( Figure 7 ) to add outgoing security configuration. 
  • Give an unique name for the configuration. let's say it as EchoProxy-soap11SecuredRequest
  • Then fill the default Alias/Default Password fields. Use wso2carbon for both fields.
  • Then tick the must understand check box button.
Figure 7


  • Now Let's add wss entries. Click button 1 ( Figure 8) to add new wss entry.
  • First add Timestamp entry.
  • In the option window, fill the "time to live" field (ex: 300000)


Figure 8

  • Then let's add signature entry similar to timestamp.
  • Fill the options fields as given in figure 9.  
    • Keystore is wso2carbon.jks;
    • both alias and password is wso2carbon;
    • Key Identifier type is X509;
    • tick the use single certificate check box;
    • Leave other fields as default;
    • Then add a new part; which describes what we are going to sign. Since we are signing body of the soap11 request, let's add new part like this.
      • ID=Body
      • Name=Body
      • Namespace=http://schemas.xmlsoap.org/soap/envelope/
      • Encode=content
Figure 9

  • Since our proxy service is secured using sign and encryption, we need to add encryption as well. So add encryption entry similar to Timestamp and signature fields.
  • Fill the option fields as given in figure 10. 
    • Keystore is wso2carbon.jks;
    • both alias and password is wso2carbon;
    • Key Identifier type is X509;
    • tick the create encryption key check box;
    • Leave other fields as default;
    • Then add a new part; which describes what we are going to encrypt. Since we are encrypting  body of the soap11 request, let's add new part like this.
      • ID=Body
      • Name=Body
      • Namespace=http://schemas.xmlsoap.org/soap/envelope/
      • Encode=content

Figure 10


Now we are done with configuring out going message.

[Important] Please note that order of the ws entries matters when we are invoking the secured service. So always add those three one after the other. As an exercise try to change order of timestamp, signature and encryption and try to invoke the service.



Step 4.4 - Setting up Incoming Security Configuration.


  • Go to incoming ws-security configuration tab.
  • Similar to outgoing ws-security configuration first add incoming security configuration profile. Name it as EchoProxy-securedResponse
  • Fill the other fields as showing in figure 11.
    • Decrypt Keystore=wso2carbon.jks
    • Signature Keystore=wso2carbon.jks
    • password=wso2carbon

Figure 11


 Step 5 - Invoking secured Proxy service.

 

  • Open soap11 request. ( If you have already opened it, you may have to close and re-open it, to apply project changes which you did in step 4)
  • Click on button aut ( arrow 2 in Figure 12 ). It contains authentication related details.
  • Select outgoing wss that we created in step 4 from arrow 3.
  • Select incoming wss that we created in step 5 from arrow 4.
  • Then Invoke the request 1 by clicking green play arrow.
Figure 12
  •  you can view decrypted response from response window.  it is Done :)


[Important] Troubleshooting.

  • If you are running your system on a fresh JVM, you may face "Illegal key size or default parameters" [1] or similar problems since we are using encryption algorithms in this sample. To fix this you have to patch the JVM by applying "the Java Cryptography Extension (JCE), Unlimited Strength Jurisdiction Policy".
  • You can download it from http://www.oracle.com/technetwork/java/javase/downloads/
 
[1]
.....
Caused by: org.apache.xml.security.encryption.XMLEncryptionException: Illegal key size or default parameters
Original Exception was java.security.InvalidKeyException: Illegal key size or default parameters
    at org.apache.xml.security.encryption.XMLCipher.encryptData(XMLCipher.java:1140)
    at org.apache.xml.security.encryption.XMLCipher.encryptData(XMLCipher.java:1081)
    at org.apache.xml.security.encryption.XMLCipher.encryptElementContent(XMLCipher.java:855)
    at org.apache.xml.security.encryption.XMLCipher.doFinal(XMLCipher.java:985)
    at org.apache.ws.security.message.WSSecEncrypt.doEncryption(WSSecEncrypt.java:602)
    ... 24 more
Caused by: java.security.InvalidKeyException: Illegal key size or default parameters
    at javax.crypto.Cipher.checkCryptoPerm(Cipher.java:1011)
    at javax.crypto.Cipher.implInit(Cipher.java:786)
    at javax.crypto.Cipher.chooseProvider(Cipher.java:849)
    at javax.crypto.Cipher.init(Cipher.java:1213)
    at javax.crypto.Cipher.init(Cipher.java:1153)
    at org.apache.xml.security.encryption.XMLCipher.encryptData(XMLCipher.java:1137)
    ... 28 more