SSL mutuo entre ESB y servicios de back-end no seguros, "cadena de certificaciones nulas"
wso2 wso2esb (1)
Lo resolví si alguien quiere saber cómo lograrlo:
SOAP_CLIENT
|
|
|
|----------- Single SSL (a)
|
|
________________ENTERPRISE_SERVICE_BUS_________________
|| ||
|| ||
|| ||
(b) Mutual SSL--------------|| ||--------------Mutual SSL (c)
|| ||
|| ||
|| ||
APPLICATION_SERVER DATA_SERVICE_SERVER
=============================================== ====================
Key stores :
Soap(client) : soapui_ks.jks - Key store - Password : soapui
ESB : wso2esb_ks.jks - Key store - Password : wso2esb
--------------- wso2esb_ks - Key entry alias - Password : wso2esb
wso2esb_ts.jks - Trust store - Password : wso2esb
--------------- wso2esb_ts - Key entry alias - Password : wso2esb
--------------- as - Imported trusted certificate from wso2as_ks.jks
--------------- dss - Imported trusted certificate from wso2dss_ks.jks
--------------- soapclient - Imported trusted certificate from soapui_ks.jks
AS : wso2as_ks.jks - Key store - Password : wso2as
--------------- wso2as_ks - Key entry alias - Password : wso2as
wso2as_ts.jks - Trust store - Password : wso2as
--------------- wso2as_ts - Key entry alias - Password : wso2as
--------------- esb - Imported trusted certificate from wso2esb_ks.jks
DSS : wso2dss_ks.jks - Key store - Password : wso2dss
--------------- wso2dss_ks - Key entry alias - Password : wso2dss
wso2dss_ts.jks - Trust store - Password : wso2dss
--------------- wso2dss_ts - Key entry alias - Password : wso2dss
--------------- esb - Imported trusted certificate from wso2esb_ks.jks
=================================================================================================================================================================
Configuration :
(a) Change the following in the servers(server_home) to point to the new keystores/trustores.
In esb : Changed configuration files of the following files to point to the new keystores and their passwords (as above) :
[server_home]/repository/conf/carbon.xml
[server_home]/repository/conf/axis2/axis2.xml - also set <parameter name="SSLVerifyClient">require</parameter>
[server_home]/repository/conf/security/cipher-text.properties
[server_home]/repository/conf/security/secret-conf.properties
[server_home]/repository/conf/sec.policy
Restart server.
In soap , double click on the root project folder , navigate to WS-Security Configurations tab , then add the soapui_ts.jks as a TRUST store using soapui as the password. Then when you open a request in that project, in the Request Properties panel , set the previously configured soapui_ts.jks as the value for the SSL Keystore property.
Should all be good.
Estoy teniendo el siguiente error :
ERROR {org.apache.synapse.transport.passthru.SourceHandler} - I/O error: null cert chain {org.apache.synapse.transport.passthru.SourceHandler}
al intentar habilitar el SSL mutuo entre mi servicio Proxy (personalizado) y 2 servicios back-end no seguros.
Esto es lo que hice hasta ahora:
- Habilitado
<parameter name="SSLVerifyClient">require</parameter> - Certificados públicos extraídos de 2 servidores back-end en [carbon_home] /respository/resources/security/wso2carbon.jks usando Java Key Tool:
keytool -export -keystore C: / I_T / WS02 / wso2 as-5.2.1 / repository / resources / security / client-truststore.jks -file C: / wssecurity / wso2 / wso2ASpublic.cert
Importó estos certs en la tienda de confianza de ESB:
keytool -import -file C: / wssecurity / wso2 / wso2DSSpublic.cert -keystore C: / I_T / WS02 / wso2esb-4.8.1 / repository / resources / security / client-truststore.jks -storepass wso2carbon -alias wso2carbonDSS
Hecho lo mismo con el certificado de ESB en los clientes-almacenes de confianza del cliente.
Sospecho que los pasos 2-4 fueron innecesarios porque las tiendas de confianza ya contenían estos certs.
Quizás esto está causando los problemas?