How to invoke secured backend service using WSO2 ESB

WSO2 ESB can be used for implementing various security patterns in your SOA. It supports message level security with WS-Security specification. In this blog post, we are going to use WSO2 ESB to invoke a secured BE service. 

Lets assume BE service is secured with WS-Security Policy.  
Policy contains both signature and encryption  and client needs to provide X509 certificate for authentication. It mean WSO2 ESB proxy service must be authenticated to the BE service.   Therefore security policy provides the authentication Integrity and Confidentiality. 
Here is WSDL of the BE service. It is just a simple echo service. 
Lets go through step by step
Step1 : We need to create matching policy for ESB side to invoke the BE service. We can just copy the policy from WSDL for this. It would be some thing like this
Step2 : To do the encryption and signing, we need to define the certificates that contains private key and public key for this.  This is done through a configuration. 
ESB uses Apache rampart as the WS-Security implementation. Rampart has, it own way to define the key store and key data using configuration called rampart configuration. We can add this rampart configuration in to the security policy as an assertion.  Please find more details about rampart configurations from here
Lets add rampart configurations. 
To sign and encryption,  we need to specify following….    
1. Signature and Encryption crypto.     As we are using keystore (i.e client.jks) to build the crypto,  We need to define the keystore details  such as keystore file, password, type and so on. 
We can define them as follows …
<ramp:crypto provider="">
<ramp:property name="">JKS</ramp:property>
 <ramp:property name="">/home/asela/Security/resources/keys/client.jks</ramp:property>
 <ramp:property name="">apache</ramp:property>
 <ramp:crypto provider="">
 <ramp:property name="">JKS</ramp:property>
 <ramp:property name="">/home/asela/Security/resources/keys/client.jks</ramp:property>
 <ramp:property name="">apache</ramp:property>
2.  Private key  that is going to sign the message 
This the alias name of private key of the client.jks file
3. Public key (certificate) that is going to encrypt the message
This is the certificate alias name of the public certificate of the BE service. That also must be contain in my client.jks file.
4. Private key password 
We do not define private key password in rampart configuration.  we need to provide it through password class back implementation. Therefore i am defining the class name of the password call back implementation 
Now we are done with policy,  it would be as this
Step3 : Lets create a password call back class to inject private key password.  You can get help from this blog post. 
Step4 : Upload our policy to the WSO2 ESB. Here we are uploading created policy file as a resource in the WSO2 ESB’s registry. 
1.  Login to WSO2 ESB management console and Go to  Registry Browser
2. Add new registry collection  (folder) in preferred location. I have selected governance collection for this  
3. Upload policy from file system as a resource. 
Step5 : Create  ESB end point for BE service with security
1. Go to  Endpoint configuration UI in Management console 
2. Create new address end point with your BE service configuration and then select advance options. 
3. Select WS-Security option under the QoS in advance options
4. Select Governance registry collection to local the uploaded policy 
5. Finish the endpoint creation 
Step6 :  Create sample proxy service with our secured endpoint.
There are different ways to create proxy service according to your preferences. Here i am creating simple pass through proxy 
1. Create proxy service by defining the endpoint created above
2. You can see synapse configuration as following in proxy and endpoint configurations  
Now we are done…!!!  You can invoke the proxy service with non-secured client. 
Secured Client ————————————————>  Secured BE service 
Now with WSO2ESB
Non Secured Client 
(Endpoint is changed to proxy enpoint) ———> WSO2ESB  ————-> Secured BE service 
Discuss this article on Stack Overflow


  1. Hi My back end service is running on HTTPS protocol. When i add this service as an endpoint it gives me

    ERROR – ProxyServiceAdminClient Couldn't create endpoint from the given WSDL URI :
    eException: No name matching localhost found
    org.wso2.carbon.proxyadmin.stub.ProxyServiceAdminProxyAdminException: Couldn't create endpoint from the given WSDL URI :
    t.CertificateException: No name matching localhost found

  2. When I follow the article, I get the error. What could be problem?

    ERROR – MessageHelper Cannot locate policy from the property : gov:/custom_security_policies/clientpolicy.xml
    [2015-10-26 21:05:17,747] ERROR – Axis2Sender Unexpected error during sending message out
    org.apache.synapse.SynapseException: Cannot locate policy from the property : gov:/custom_security_policies/clientpolicy.xml
    at org.apache.synapse.util.MessageHelper.handleException(
    at org.apache.synapse.util.MessageHelper.getPolicy(

Leave a Reply

Your email address will not be published. Required fields are marked *