Setting Up Mutual SSL in WSO2 ESB - Enable only for selected proxy services

This Blog post is an updated version of Asela's Blog 

I am using same environment described in my previous blog for this tutorial

Configure WSO2 ESB Server 

1) Edit https transportReceiver in axis2.xml, which is located in /repository/conf/axis2/ folder and Add SSLVerifyClient to optional as follows.

	<transportReceiver name="https" class="org.apache.synapse.transport.passthru.PassThroughHttpSSLListener">
	<parameter name="port" locked="false">8243</parameter>
	<parameter name="non-blocking" locked="false">true</parameter>
	<parameter name="httpGetProcessor" locked="false">org.wso2.carbon.transport.nhttp.api.PassThroughNHttpGetProcessor</parameter>
	<parameter name="keystore" locked="false">
	<KeyStore>
	<Location>repository/resources/security/wso2carbon.jks</Location>
	<Type>JKS</Type>
	<Password>wso2carbon</Password>
	<KeyPassword>wso2carbon</KeyPassword>
	</KeyStore>
	</parameter>
	<parameter name="truststore" locked="false">
	<TrustStore>
	<Location>repository/resources/security/client-truststore.jks</Location>
	<Type>JKS</Type>
	<Password>wso2carbon</Password>
	</TrustStore>
	</parameter>
	<parameter name="SSLVerifyClient">optional</parameter>
	<!--supports optional|require or defaults to none -->
	</transportReceiver>

view raw axis2.xml hosted with ❤ by GitHub

2) Restart ESB Server.

Note: This will make Mutual SSL optional for proxy services exposed on https transport.

Now you will able to Invoke Test Proxy without SSL KeyStore property in SOAP UI. To verify this remove value of SSL KeyStore and Invoke Request 1 Again.

Enable Mutual SSL for Test Proxy

1) Create a ESB XML local entry called MutualSSLPolicy.xml with following content.

	<wsp:Policy wsu:Id="MutualSSL" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
	<wsp:ExactlyOne>
	<wsp:All>
	<sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
	<wsp:Policy>
	<sp:TransportToken>
	<wsp:Policy>
	<sp:HttpsToken RequireClientCertificate="true"/>
	</wsp:Policy>
	</sp:TransportToken>
	<sp:AlgorithmSuite>
	<wsp:Policy>
	<sp:Basic256/>
	</wsp:Policy>
	</sp:AlgorithmSuite>
	<sp:Layout>
	<wsp:Policy>
	<sp:Lax/>
	</wsp:Policy>
	</sp:Layout>
	</wsp:Policy>
	</sp:TransportBinding>
	<rampart:RampartConfig xmlns:rampart="http://ws.apache.org/rampart/policy">
	<rampart:encryptionUser>useReqSigCert</rampart:encryptionUser>
	<rampart:timestampPrecisionInMilliseconds>true</rampart:timestampPrecisionInMilliseconds>
	<rampart:timestampTTL>300</rampart:timestampTTL>
	<rampart:timestampMaxSkew>300</rampart:timestampMaxSkew>
	<rampart:tokenStoreClass>org.wso2.carbon.security.util.SecurityTokenStore</rampart:tokenStoreClass>
	<rampart:nonceLifeTime>300</rampart:nonceLifeTime>
	</rampart:RampartConfig>
	</wsp:All>
	</wsp:ExactlyOne>
	</wsp:Policy>

view raw MutualSSLPolicy.xml hosted with ❤ by GitHub

2) Add following parameters to Test Proxy. 

	<enableSec/>
	<policy key="MutualSSLPolicy.xml"/>

view raw property.xml hosted with ❤ by GitHub

( Add these parameters to proxy services you want to enable mutual authentication. )'

3) Final Test proxy will look like this

	<?xml version="1.0" encoding="UTF-8"?>
	<proxy xmlns="http://ws.apache.org/ns/synapse"
	name="Test"
	transports="https"
	statistics="disable"
	trace="disable"
	startOnLoad="true">
	<target>
	<inSequence>
	<log level="full"/>
	<respond/>
	</inSequence>
	</target>
	<enableSec/>
	<policy key="MutualSSLPolicy.xml"/>
	<description/>
	</proxy>

view raw Test.xml hosted with ❤ by GitHub

Testing With SOAP UI 

1) Try Request 1 without SSL KeyStore parameter. Request Fails with SOAP Fault

2) Now try with SSL KeyStore Parameter, Now you will able to invoke Test Proxy Service.

Setting Up Mutual SSL in WSO2 ESB and Testing Using SOAP UI

This Blog post is an updated version of Asela's Blog 

Exchanging Certificates with Client and Server. 

First step is to create Client Key Store and Client Trust Store. Here I am using Java Keytool, which can be found in JDK bin directory.

1) Create Client ( let's call wso2client ) Key Store (wso2clientkeystore.jks)

keytool -genkey -keyalg RSA -keystore wso2clientkeystore.jks  -alias wso2client -dname "CN=wso2client" -validity 3650 -keysize 2048

Provide Store password and Key password.

2) Create Client Certificates. 

keytool -export -keyalg RSA -keystore wso2clientkeystore.jks -alias wso2client  -file wso2client.cert

3) Create Client Trust Store (wso2clientTrustStore.jks)

keytool -import -file wso2client.cert -alias wso2client -keystore wso2clientTrustStore.jks

Provide Trust store password.

4) Export ESB Server Certificate

keytool -export -keyalg RSA -keystore /repository/resources/security/wso2carbon.jks -alias wso2carbon -file wso2carbon.cert

Provide wso2carbon store password "wso2carbon"

5) Import Client Certificate wso2client.cert to WSO2 ESB client-trustStore.jks

keytool -import -file wso2client.cert -alias wso2client -keystore /repository/resources/security/client-truststore.jks

Provide wso2carbon store password "wso2carbon"

6) Import ESB Server Certificate wso2carbon.cert to client-trust store 

keytool -import -file wso2carbon.cert -alias wso2carbon -keystore wso2clientTrustStore.jks

Configure WSO2 ESB Server 

1) Edit https transportReceiver in axis2.xml, which is located in /repository/conf/axis2/ folder and Add SSLVerifyClient to require as follows.

	<transportReceiver name="https" class="org.apache.synapse.transport.passthru.PassThroughHttpSSLListener">
	<parameter name="port" locked="false">8243</parameter>
	<parameter name="non-blocking" locked="false">true</parameter>
	<parameter name="httpGetProcessor" locked="false">org.wso2.carbon.transport.nhttp.api.PassThroughNHttpGetProcessor</parameter>
	<parameter name="keystore" locked="false">
	<KeyStore>
	<Location>repository/resources/security/wso2carbon.jks</Location>
	<Type>JKS</Type>
	<Password>wso2carbon</Password>
	<KeyPassword>wso2carbon</KeyPassword>
	</KeyStore>
	</parameter>
	<parameter name="truststore" locked="false">
	<TrustStore>
	<Location>repository/resources/security/client-truststore.jks</Location>
	<Type>JKS</Type>
	<Password>wso2carbon</Password>
	</TrustStore>
	</parameter>
	<parameter name="SSLVerifyClient">require</parameter>
	<!--supports optional|require or defaults to none -->
	</transportReceiver>

view raw axis2.xml hosted with ❤ by GitHub

2) Restart ESB Server.

Note: This will Enable Mutual SSL for Proxies on https transport in ESB.

Create Test Proxy

Create a test proxy with Following Content

	<?xml version="1.0" encoding="UTF-8"?>
	<proxy xmlns="http://ws.apache.org/ns/synapse"
	name="Test"
	transports="https"
	statistics="disable"
	trace="disable"
	startOnLoad="true">
	<target>
	<inSequence>
	<log level="full"/>
	<respond/>
	</inSequence>
	</target>
	<description/>
	</proxy>

view raw Test.xml hosted with ❤ by GitHub

Testing Test Proxy Using SOAP UI

1) Open SOAP UI and create a SOAP UI project using Test Proxy WSDL. ( https://localhost:9443/services/Test?wsdl )

2) Try to Invoke Test Proxy with default configuration.

As shown bellow, it will fail with javax.net.SSLHandshakeException. This is because Soap UI doesn't have wso2client key store and trust store.

3) Let's Add Key store and Trust Store to Project.  Open Test Project Properties. -> WS-Security Configuration -> Key Store -> Add Key Store as shown in following picture. -> Select wso2clientkeystore.jks

4) Enter store password for wso2clientkeystore.jks

5) Similarly add Client Trust store to SOAP UI ( An optional step for this tutorial )

6) Select SSL Keystore to wso2clientkeystore.jks.

7) Invoke Request 1 again with SSL configuration.

Now you will be able to invoke Test proxy service with Mutual SSL enabled.

In Next blog, I will discuss how to Enable Mutual SSL only for One proxy.