Lets see how we can enable mutual SSL (two-way SSL) for all the proxy services that are deployed in WSO2 ESB
Configuring Mutual SSL in ESB
Step 1 : Enable mutual SSL for transport receiver of the WSO2 ESB
WSO2 ESB uses Pass through transport (or NIO ) for sending and receiving messages. You can find Pass through transport (or NIO) receiver and sender configuration from axis2.xml file which can be found at /repository/conf/axis2 directory. Under the transport receiver, there are key store and trust store configurations as follows.
<transportReceiver name="https" class="org.apache.synapse.transport.passthru.PassThroughHttpSSLListener"> <parameter name="port" locked="false">8243</parameter> <parameter name="non-blocking" locked="false">true</parameter> <parameter name="httpGetPraxis2.xmlocessor" locked="false">org.wso2.carbon.transport.nhttp.api.PassThroughNHttpGetProcessor</parameter> <parameter name="keystore" locked="false"> <KeyStore> <Location>repository/resources/security/wso2carbon.jks</Location> <Type>JKS</Type> <Password>wso2carbon</Password> <KeyPassword>wso2carbon</KeyPassword> </KeyStore> </parameter> <parameter name="truststore" locked="false"> <TrustStore> <Location>repository/resources/security/client-truststore.jks</Location> <Type>JKS</Type> <Password>wso2carbon</Password> </TrustStore> </parameter> <!--<parameter name="SSLVerifyClient">require</parameter> supports optional|require or defaults to none --> </transportReceiver>
<parameter name="SSLVerifyClient">require</parameter>
Setting up Key Store and Trust Stores
Step 1 : Writing Axis2 client to invoke
You can find the client program for here. To run the client program you need to setup your key store and trust store properly. Actually we use same key store file as both key store (which contains private key) and trust store (which contains trusted certificates)
> keytool -export -keystore wso2carbon.jks -alias localhost -file wso2.crt
> keytool -import -keystore client.jks -alias wso2carbon -file wso2.crt
Troubleshooting
org.apache.axis2.AxisFault: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.
If you have not properly done the 3rd step, when you try with sample client, you would receive following error in client side.
Exception in thread "main" org.apache.axis2.AxisFault: Connection has been shutdown: javax.net.ssl.SSLException: java.net.SocketException: Connection reset
And in server side.
[2012-08-08 17:29:56,390] ERROR - ServerHandler I/O error: null cert chain javax.net.ssl.SSLHandshakeException: null cert chain
Now you know how to secure ESB proxy services using mutual SSL and invoke them. In my next blog post let see, how we can secure only the specified ESB proxy services using mutual SSL(Not all)