1

Is it possible to use mutual authentication (client SSL certificates) with WSO2 ESB? (I'm not talking about WS-Security.)

I see that it is possible to add custom keystores to the ESB but I could not find any information on how to specify what client key to use when connecting to a specific backend.

Community
  • 1
  • 1
Janhouse
  • 376
  • 1
  • 11

2 Answers2

3

Yes. You can enable mutual authentication for ESB proxy service. Here you want to do small configuration to enable mutual authentication for all proxy service . You can edit axis2.xml file and change following property to "require" 

<parameter name="SSLVerifyClient">require</parameter>

More details you can find here. However, if you are enabling mutual authentication for given set of proxy services, There is some more to do.. More details you can find here. There was an issue with older release in ESB. therefore you need some patches to install. but with 4.7.0 and 4.8.0 (next release). there have been fixed.

Asela
  • 5,781
  • 1
  • 15
  • 23
  • Could you please give more details on how to select specific client certificate to be used for a specific endpoint? It's not really clear from those posts. – Janhouse Dec 05 '13 at 10:06
  • Actually here we can not say.. user who have this certificate can access these proxy services. There is no such authorization happen here... One request is sent with certificate, ESB would validate the certificate (verify with ESB's Trust store) – Asela Dec 05 '13 at 11:08
  • 1
    Ok, so it doesn't support using client side SSL certificates on the ESB to authorize with a backend? – Janhouse Dec 05 '13 at 14:25
  • 1
    Yes.. by default it is not.. But there are two ways that you can do it.. One way is that you can write your own mediator to verify the authorization. In the mediator, you can access to the client certificate and do verification on it. http://soasecurity.org/2013/11/28/how-to-wso2esb-how-to-write-custom-mediator/ Else use can use XACML solution.. where you can write a policy in WSO2 Identity Server externalize the authorization. Here mediator (entitlement mediator) can call to WSO2 IS and get the authorization – Asela Dec 05 '13 at 14:46
  • 1
    It sounds more like "it is easier to do it without WSO2" because you can't just handle the authorization with your custom mediator or WSO2IS. It doesn't return any tokens or something like this, we are talking about Mutual SSL authentication. The whole stream is encrypted with it. – Janhouse Dec 09 '13 at 11:18
1

It is actually quite simple to set up mutual SSL authentication between the ESB and a back-end server. This requires configuration of the back-end server as well. Because the ESB serves as a 'client' when initiating a connection with the back-end, the back-end server is responsible for requesting the 'mutual' SSL instead of one-way SSL. See this nice mutual SSL article for reference [1].

In order to successfully use mutual SSL with a back-end server,

  1. Load the back-end server's public certificate into the default truststore, which is located in: repository/resources/security/client-truststore.jks (That's it! That's the only change necessary on the WSO2 ESB side.)
  2. Load the public certificate from the WSO2 keystore into the back-end server's keystore.
  3. Configure the back-end server to request mutual SSL.

If you're using a CA certificate instead of the default self-signed certificate, skip step 2.

Cheers, Colin

[1] http://www.codeproject.com/Articles/326574/An-Introduction-to-Mutual-SSL-Authentication

Colinr
  • 201
  • 1
  • 3
  • This is one of the very few posts about the SSL client configuration. What I found working was a) put the client ssl key into the wso2carbon.jks (then in the carbon.xml and axis2.xml the KeyAlias must be specified) b) configure the client keypair keystore in the axis2 as the customSSLProfiles parameter – gusto2 Dec 22 '15 at 21:17
  • @gusto can you describe how you do that ? – behzad Dec 10 '20 at 10:45