This is my second blog post about enabling mutual SSL for ESB proxy services. In my previous blog post, we enabled mutual SSL for all deployed proxy services. But in this blog post, we are going to enable mutual SSL for only selected proxy services. Let assume we have proxy service call “TestProxy” and also there are many other proxy services that have been deployed in WSO2ESB. We want to enable mutual SSL for “TestProxy” only. Let see how we can do it. Here we are using transport binding in WS-Security specification in addition to the mutual SSL.
I assume that you have gone through my previous blog post, therefore i am not going to much details in some configurations
Step 1 : Configure SSLVerifyClient property to “optional” in Pass through (or NIO) transport receiver configuration in the /repository/conf/axis2/axis2.xml file.
Note: if you are using some other product than
Step 2 : Restart the server
Step 3 : Secure the Proxy service (or web service) using WS-Security
Here, you can,
Secure the service using scenario 01 (Username Token authentication)
Modify applied policy in to this policy using policy editor. Here, we have removed the user name token validation and forced the client certificated as follows
You can just configure a custom security policy with the TestProxy service.
Step 4 : Step you key stores and trust stores as described in my previous post
Step 5 : Invoke the TestProxy using sample client which can be found at here.
If you have not used a key store in client side or your certificate does not contain in the pass through (or NIO) transport receiver’s trust store file, you would probably experience following error.
[2012-08-08 18:02:47,879] ERROR - AxisEngine Service requires SSL mutual authentication org.apache.axis2.AxisFault: Service requires SSL mutual authentication at org.apache.rampart.handler.RampartReceiver.setFaultCodeAndThrowAxisFault(RampartReceiver.java:180) at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:99) at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
Therefore, you need to import your client’s certificate (or CA’s certificate) in to the transport receiver’s trust store file. If your client’s keystore is self-signed one, you must import the certificate. If your client certificate is CA signed one, you must import the CA’s certificate.
Thanks for reading..!!!