SSL profiles in WSO2 ESB

 Using SSL profiles WSO2 ESB can be configured  to communicate with SSL and Mutual SSL enabled target servers.  Lets see how to configure it.

Step 1. First, You can download WSO2 ESB. Then you can extract in to a directory in your file system. Lets call as ESB_HOME

Step 2. Then define the appropriate SSL profiles under the HTTPS transport sender configuration, in the axis2.xml file which can be found in ESB_HOME/repository/conf/axis2 .

Following shows the example configuration i am going to use.

Here, I have used localhost:9444 server for SSL communication and localhost:9445 for Mutual SSL.  As you can see, it consists of a keystore-truststore pair. A single profile can be associated with one or more target servers. So you can define more than one target servers under one profile. A target server is identified by its hostname and port number. Once SSL profile is defined and associated with a target server, WSO2 ESB will use the truststore for SSL communicating and keystore-truststore pair for Mutual SSL communicating.

In this example configuration, localhost:9444 is WSO2 WSAS and localhost:9445 is WSO2 BPS server. Also It should be noted that trust-store must contains target server’s certificate for SSL communication and target server must contains the key-store certificate for Mutual SSL communication

 

<parameter name="customSSLProfiles">
    <profile>
        <servers>www.test.org:80, localhost:9444</servers>
        <TrustStore>
            <Location>path/to/trust/store</Location>
            <Type>JKS</Type>
            <Password>password</Password>
        </TrustStore>
    </profile>
    <profile>
        <servers>localhost:9445</servers>
        <KeyStore>
            <Location>/path/to/identity/store</Location>
            <Type>JKS</Type>
            <Password>password</Password>
            <KeyPassword>password</KeyPassword>
        </KeyStore>
        <TrustStore>
            <Location>path/to/trust/store</Location>
            <Type>JKS</Type>
            <Password>password</Password>
        </TrustStore>
    </profile>
</parameter>

 

3. Start WSO2 ESB server,  Run the wso2server.sh (in unix) or wso2server.bat (in windows) file in the ESB_HOME/bin directory
Once the server starts, point your Web browser to https://localhost:9443/carbon/   You can see following info logs when starting, If you have configured SSL Profile successfully.

[2010-07-01 15:22:26,300]  INFO – HttpCoreNIOSSLSender Loading Trust Keystore from : path/to/trust/store
[2010-07-01 15:22:26,306]  INFO – HttpCoreNIOSSLSender Loading Identity Keystore from : /path/to/identity/store
[2010-07-01 15:22:26,310]  INFO – HttpCoreNIOSSLSender Loading Trust Keystore from : path/to/trust/store
[2010-07-01 15:22:26,322]  INFO – HttpCoreNIOSSLSender Custom SSL profiles initialized for 3 servers

4. Lets create simple proxy services which endpoints are hosted in localhost:9444 and localhost:9445.

<syn:proxy name="BPSProxy" transports="https http" startOnLoad="true" trace="disable">
        <syn:target>
            <syn:inSequence>
                <syn:send>
                    <syn:endpoint>
                        <syn:address uri="https://localhost:9444/services/TestE4XService"/>
                    </syn:endpoint>
                </syn:send>
            </syn:inSequence>
            <syn:outSequence>
                <syn:send/>
            </syn:outSequence>
        </syn:target>
    </syn:proxy>
    <syn:proxy name="WSASProxy" transports="https http" startOnLoad="true" trace="disable">
        <syn:target>
            <syn:inSequence>
                <syn:send>
                    <syn:endpoint>
                        <syn:address uri="https://localhost:9445/services/HelloService"/>
                    </syn:endpoint>
                </syn:send>
            </syn:inSequence>
            <syn:outSequence>
                <syn:send/>
            </syn:outSequence>
        </syn:target>
    </syn:proxy>

 

5. Now send your request messages to two proxy services, You can see ESB will successfully communicate with SSL and Mutual SSL enabled target servers using SSL Profiles.