WSO2 ESB can be used for implementing various security patterns in your SOA. It supports message level security with WS-Security specification. In this blog post, we are going to use WSO2 ESB to invoke a secured BE service.
Lets assume BE service is secured with WS-Security Policy.
Policy contains both signature and encryption and client needs to provide X509 certificate for authentication. It mean WSO2 ESB proxy service must be authenticated to the BE service. Therefore security policy provides the authentication Integrity and Confidentiality.
Here is WSDL of the BE service. It is just a simple echo service.
Lets go through step by step
Step1 : We need to create matching policy for ESB side to invoke the BE service. We can just copy the policy from WSDL for this. It would be some thing like this
Step2 : To do the encryption and signing, we need to define the certificates that contains private key and public key for this. This is done through a configuration.
ESB uses Apache rampart as the WS-Security implementation. Rampart has, it own way to define the key store and key data using configuration called rampart configuration. We can add this rampart configuration in to the security policy as an assertion. Please find more details about rampart configurations from here
Lets add rampart configurations.
To sign and encryption, we need to specify following….
1. Signature and Encryption crypto. As we are using keystore (i.e client.jks) to build the crypto, We need to define the keystore details such as keystore file, password, type and so on.
We can define them as follows …
<ramp:signatureCrypto> <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin"> <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property> <ramp:property name="org.apache.ws.security.crypto.merlin.file">/home/asela/Security/resources/keys/client.jks</ramp:property> <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property> </ramp:crypto> </ramp:signatureCrypto> <ramp:encryptionCypto> <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin"> <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property> <ramp:property name="org.apache.ws.security.crypto.merlin.file">/home/asela/Security/resources/keys/client.jks</ramp:property> <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property> </ramp:crypto> </ramp:encryptionCypto>
2. Private key that is going to sign the message
This the alias name of private key of the client.jks file
<ramp:userCertAlias>client</ramp:userCertAlias>
3. Public key (certificate) that is going to encrypt the message
This is the certificate alias name of the public certificate of the BE service. That also must be contain in my client.jks file.
<ramp:encryptionUser>service</ramp:encryptionUser>
4. Private key password
We do not define private key password in rampart configuration. we need to provide it through password class back implementation. Therefore i am defining the class name of the password call back implementation
<ramp:passwordCallbackClass>org.wso2.samples.pwcb.PWCBHandler</ramp:passwordCallbackClass>
Now we are done with policy, it would be as this
Step3 : Lets create a password call back class to inject private key password. You can get help from this blog post.
Step4 : Upload our policy to the WSO2 ESB. Here we are uploading created policy file as a resource in the WSO2 ESB’s registry.
1. Login to WSO2 ESB management console and Go to Registry Browser
2. Add new registry collection (folder) in preferred location. I have selected governance collection for this
3. Upload policy from file system as a resource.
Step5 : Create ESB end point for BE service with security
1. Go to Endpoint configuration UI in Management console
2. Create new address end point with your BE service configuration and then select advance options.
3. Select WS-Security option under the QoS in advance options
4. Select Governance registry collection to local the uploaded policy
5. Finish the endpoint creation
Step6 : Create sample proxy service with our secured endpoint.
There are different ways to create proxy service according to your preferences. Here i am creating simple pass through proxy
1. Create proxy service by defining the endpoint created above
2. You can see synapse configuration as following in proxy and endpoint configurations
Now we are done…!!! You can invoke the proxy service with non-secured client.
Note:
Previous
Secured Client ————————————————> Secured BE service
Now with WSO2ESB
Non Secured Client
(Endpoint is changed to proxy enpoint) ———> WSO2ESB ————-> Secured BE service