Mutual SSL between ESB and unsecured back-end serv

2019-09-01 06:45发布

站内问答 / 前端开发
540 1 6

I am getting the following error :

ERROR {org.apache.synapse.transport.passthru.SourceHandler} -  I/O error: null cert chain {org.apache.synapse.transport.passthru.SourceHandler}

while trying to enable mutual SSL between my (custom)Proxy service and 2 unsecured back-end services.

Here's what I've done so far :

  1. Enabled <parameter name="SSLVerifyClient">require</parameter>
  2. Extracted public certs of 2 back-end servers in [carbon_home]/respository/resources/security/wso2carbon.jks using Java Key Tool :

keytool -export -keystore C:\I_T\WS02\wso2 as-5.2.1\repository\resources\security\client-truststore.jks -file C:\wssecurity \wso2\wso2ASpublic.cert

  1. Imported these certs into ESB trust store :

    keytool -import -file C:\wssecurity\wso2\wso2DSSpublic.cert -keystore C:\I_T\WS02\wso2esb-4.8.1\repository\resources\security\client-truststore.jks -storepass wso2carbon -alias wso2carbonDSS

  2. Done the same with the ESB cert into the servers' client-truststores .

I suspect step 2-4 were unnecessary because the trust stores already contained these certs.

Perhaps this is causing the problems?

标签: ssl wso2 wso2esb
举报
1条回答
唯我独甜
2楼-- · 2019-09-01 07:32

I solved this if any one wants to know how to achieve :

                                                        SOAP_CLIENT
                                                                |
                                                                |
                                                                |
                                                                |----------- Single SSL (a)
                                                                |
                                                                |
                                      ________________ENTERPRISE_SERVICE_BUS_________________
                                     ||                                                     ||
                                     ||                                                     ||
                                     ||                                                     ||
         (b) Mutual SSL--------------||                                                     ||--------------Mutual SSL  (c)
                                     ||                                                     ||
                                     ||                                                     ||
                                     ||                                                     ||
                             APPLICATION_SERVER                                   DATA_SERVICE_SERVER

======================================================================

Key stores :

Soap(client) :  soapui_ks.jks                               - Key store - Password : soapui



ESB :           wso2esb_ks.jks                              - Key store - Password : wso2esb
                --------------- wso2esb_ks                  - Key entry alias - Password : wso2esb

                wso2esb_ts.jks                              - Trust store - Password : wso2esb
                --------------- wso2esb_ts                  - Key entry alias - Password : wso2esb
                --------------- as                          - Imported trusted certificate from wso2as_ks.jks
                --------------- dss                         - Imported trusted certificate from wso2dss_ks.jks
                --------------- soapclient                  - Imported trusted certificate from soapui_ks.jks


AS :            wso2as_ks.jks                               - Key store - Password : wso2as
                --------------- wso2as_ks                   - Key entry alias - Password : wso2as   

                wso2as_ts.jks                               - Trust store - Password : wso2as
                --------------- wso2as_ts                   - Key entry alias - Password : wso2as
                --------------- esb                         - Imported trusted certificate from wso2esb_ks.jks

DSS :           wso2dss_ks.jks                              - Key store - Password : wso2dss
                --------------- wso2dss_ks                  - Key entry alias - Password : wso2dss  

                wso2dss_ts.jks                              - Trust store - Password : wso2dss
                --------------- wso2dss_ts                  - Key entry alias - Password : wso2dss
                --------------- esb                         - Imported trusted certificate from wso2esb_ks.jks

=================================================================================================================================================================

Configuration :

(a) Change the following in the servers(server_home) to point to the new keystores/trustores.

In esb : Changed configuration files of the following files to point to the new keystores and their passwords (as above) :

                [server_home]/repository/conf/carbon.xml            
                [server_home]/repository/conf/axis2/axis2.xml   - also set  <parameter name="SSLVerifyClient">require</parameter>
                [server_home]/repository/conf/security/cipher-text.properties
                [server_home]/repository/conf/security/secret-conf.properties
                [server_home]/repository/conf/sec.policy

Restart server.

In soap , double click on the root project folder , navigate to WS-Security Configurations tab , then add the soapui_ts.jks as a TRUST store using soapui as the password. Then when you open a request in that project, in the Request Properties panel , set the previously configured soapui_ts.jks as the value for the SSL Keystore property.

Should all be good.
查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(6)