Exchanging Certificates with Client and Server.
1) Create Client ( let's call wso2client ) Key Store (wso2clientkeystore.jks)
keytool -genkey -keyalg RSA -keystore wso2clientkeystore.jks -alias wso2client -dname "CN=wso2client" -validity 3650 -keysize 2048
Provide Store password and Key password.
2) Create Client Certificates.
keytool -export -keyalg RSA -keystore wso2clientkeystore.jks -alias wso2client -file wso2client.cert
3) Create Client Trust Store (wso2clientTrustStore.jks)
keytool -import -file wso2client.cert -alias wso2client -keystore wso2clientTrustStore.jks
Provide Trust store password.
4) Export ESB Server Certificate
keytool -export -keyalg RSA -keystore
Provide wso2carbon store password "wso2carbon"
5) Import Client Certificate wso2client.cert to WSO2 ESB client-trustStore.jks
keytool -import -file wso2client.cert -alias wso2client -keystore
Provide wso2carbon store password "wso2carbon"
6) Import ESB Server Certificate wso2carbon.cert to client-trust store
keytool -import -file wso2carbon.cert -alias wso2carbon -keystore wso2clientTrustStore.jks
Configure WSO2 ESB Server
1) Edit https transportReceiver in axis2.xml, which is located in
2) Restart ESB Server.
Note: This will Enable Mutual SSL for Proxies on https transport in ESB.
Create Test Proxy
Create a test proxy with Following ContentTesting Test Proxy Using SOAP UI
1) Open SOAP UI and create a SOAP UI project using Test Proxy WSDL. ( https://localhost:9443/services/Test?wsdl )2) Try to Invoke Test Proxy with default configuration.
As shown bellow, it will fail with javax.net.SSLHandshakeException. This is because Soap UI doesn't have wso2client key store and trust store.
3) Let's Add Key store and Trust Store to Project. Open Test Project Properties. -> WS-Security Configuration -> Key Store -> Add Key Store as shown in following picture. -> Select wso2clientkeystore.jks
4) Enter store password for wso2clientkeystore.jks
5) Similarly add Client Trust store to SOAP UI ( An optional step for this tutorial )
6) Select SSL Keystore to wso2clientkeystore.jks.
7) Invoke Request 1 again with SSL configuration.
Now you will be able to invoke Test proxy service with Mutual SSL enabled.
In Next blog, I will discuss how to Enable Mutual SSL only for One proxy.
No comments:
Post a Comment