Rampart security configuration with Axis2 - axis2

I was wondering what kind of security parameters Rampart accepts. At the moment I'm using this snippet inside my services.xml:
<parameter name="OutflowSecurity">
<action>
<items>Timestamp Signature Encrypt</items>
<passwordCallbackClass>org.sc.ws.PWCBHandler</passwordCallbackClass>
<signaturePropFile>conf/security.properties</signaturePropFile>
<encryptionUser>client</encryptionUser>
<user>client</client>
</action>
</parameter>
I'd like to know what other options there are, aside from Timestamp, Signature and Encrypt. Is there a complete list somewhere on the net? A documentation maybe?

Found it here: http://ws.apache.org/wss4j/config.html
Look under Configuration tags, there's a list with all of them.

Related

NXLog with HTTPS: How to configure SSL and certificate?

I'm trying to use NXLog to post to a service in https.
Unfortunately, I keep receiving this error for every post attempts:
2018-12-19 09:11:14 ERROR SSL certificate verification failed: unable to get local issuer certificate (err: 20)
The service we are trying to reach is an HTTPS endpoint with a "Let's encrypt" certificate. I have no problem posting to the endpoint with tools like Postman. But NXLog keeps complaining.
I tried to play with the multiple options of the https module but since I don't really understand what they are and the documentation is not very helpful, I need help.
I tried to put HTTPSAllowUntrusted to TRUE but it doesn't change anything. Also tried to provide .pem file from mozilla and various source in HTTPSCADir and HTTPSCAFile but that doesn't change anything too.
Here is my latest .conf file attemps. Any help to be able to configure SSL would be welcome.
Panic Soft
#NoFreeOnExit TRUE
define ROOT C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf
define LOGDIR %ROOT%\data
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
<Extension _syslog>
Module xm_syslog
</Extension>
<Extension _charconv>
Module xm_charconv
AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
</Extension>
<Extension csv>
Module xm_csv
Fields $contentName, $deviceName, $startTime, $endTime, $contentId, $deviceId
FieldTypes string, string, string, string, string, string
Delimiter ,
</Extension>
<Extension exec>
Module xm_exec
</Extension>
<Extension json>
Module xm_json
</Extension>
<Input in>
Module im_file
File "C:\\MagicInfo Premium\\runtime\\upload\\pop\\report\\*W*.csv"
Exec csv->parse_csv(); to_json();
</Input>
<Output http>
Module om_http
URL https://my-service.com/api/v1/proof-of-play-log/
HTTPSCAFile %CERTDIR%/cacert.pem
ContentType application/json
</Output>
<Route 1>
Path in => http
</Route>
To summarize: What .pem file do I need and what parameter needs to be set to do a simple post to an https endpoint that has a "Let's encrypt" certificate.
EDIT
Finally, I realised NXLog is completely buggy and badly coded so we changed to another solution...
The Intermediates May Be Missing
This is rare and may not be the solution to your problem, but it is a solution to some problems with exactly the same symptoms.
The untrusted very option may be failing because it may allow untrusted cert chains, but not orphaned / incomplete chains (which is slightly different). Though, on second thought, that’s probably not possible to distinguish...
But if it is the case, the extra certa you’d want to include are the intermediates listed in the “active” and “backup” sections at https://letsencrypt.org/certificates/

How should I set up logger for Splunk in PingFederate?

I wish to set up PingFederate to log to Splunk.
Ping describes it nicely here https://ping.force.com/Support/Configuring-PingFederate-with-Splunk but the referenced sections to be uncommented can't be found in my PF instance -- it may have been removed before my time as part of a clean-up.
What should the contents of the log4j2.xml be?
I'm using PingFederate 8.4.1.
Some additional information on configuring PingFederate's log4j2.xml is available here: https://support.pingidentity.com/s/document-item?bundleId=pingfederate-93&topicId=qst1564002981075.html
If you do not have a SecurityAudit2Splunk appender defined in your log4j2.xml, it should look something like:
<RollingFile name="SecurityAudit2Splunk" fileName="${sys:pf.log.dir}/splunk-audit.log"
filePattern="${sys:pf.log.dir}/splunk-audit.%d{yyyy-MM-dd}.log"
ignoreExceptions="false">
<PatternLayout>
<pattern>%d trackingid="%X{trackingid}" event=%X{event} subject="%X{subject}" ip=%X{ip} app=%X{app} connectionid=%X{connectionid} protocol=%X{protocol} pfhost=%X{host} role=%X{role} status=%X{status} adapterid=%X{adapterid} description="%X{description}" responsetime=%X{responsetime} %n</pattern>
</PatternLayout>
<Policies>
<TimeBasedTriggeringPolicy />
</Policies>
</RollingFile>
If you want to see an original log4j2.xml configuration file, you can always download PingFederate again to compare: https://www.pingidentity.com/en/resources/downloads/pingfederate.html
Also note that there is a PingFederate App for Splunk that can be a useful starting point for reporting: https://splunkbase.splunk.com/app/976/

How to set up membrane reverse proxy for 2 hosts with common authenication?

I have the following requirement. Please advise on how to set up the proxies.xml properly.
localhost/... user authentication is required from root level down (basically user needs to be authenticated once to access the whole website, which includes the 2 subsystems below)
localhost/subsys1/... all requests under this url should go to host1:8081
localhost/subsys2/... all requests under this url should go to host2:8082
I tried to set up the proxies.xml this way, but it doesn't seem to work.
<router>
<serviceProxy port="80">
<path>/</path>
<basicAuthentication>
<user name="guest" password="guest"/>
</basicAuthentication>
</serviceProxy>
<serviceProxy port="80">
<path>/subsys1</path>
<target host="host1" port="8081"/>
</serviceProxy>
<serviceProxy port="80">
<path>/subsys2</path>
<target host="host2" port="8082"/>
</serviceProxy>
</router>
Thanks,
Denny
I think the basic auth should be placed on the two proxied service as it will do the auth part.If u are trying to do it globally i havent tried it that way and i am not sure that it can be configured as such.
http://www.membrane-soa.org/service-proxy-doc/4.2/interceptors/examples.htm .What i also found usefull is that membrane service proxy is built on spring :-)

WSO2 ESB: HTTPS API

Is it possible to enable HTTPS protocol for an API on the WSO2 ESB?
https://localhost:8280/api/mySslApi
You can simply call the HTTPS endpoint of the API and it's enabled by default. Note that HTTPS port is 8243 not 8280.
https://localhost:8243/api/mySslApi
By default it is already enabled that way, if you follow axi2.xml config ,you will find below details,
1.for Http
<transportReceiver name="http" class="org.apache.synapse.transport.passthru.PassThroughHttpListener">
<parameter name="port" locked="false">8280</parameter>
<parameter name="non-blocking" locked="false">true</parameter>
<!--parameter name="bind-address" locked="false">hostname or IP address</parameter-->
<!--parameter name="WSDLEPRPrefix" locked="false">https://apachehost:port/somepath</parameter-->
<parameter name="httpGetProcessor" locked="false">org.wso2.carbon.mediation.transport.handlers.PassThroughNHttpGetProcessor</parameter>
<!--<parameter name="priorityConfigFile" locked="false">location of priority configuration file</parameter>-->
</transportReceiver>
2.for Https
<transportReceiver name="https" class="org.apache.synapse.transport.passthru.PassThroughHttpSSLListener">
<parameter name="port" locked="false">8243</parameter>
<parameter name="non-blocking" locked="false">true</parameter>
<parameter name="HttpsProtocols">TLSv1,TLSv1.1,TLSv1.2</parameter>
Yes, In WSO2 ESB, when we want to secure a REST API, we can simply make it available via HTTPS like bellow.
<resource uri-template="/view/{symbol}" methods="GET" protocol="https">
And let the security handlers validate the credentials.
<handlers>
<handler class="org.wso2.rest.BasicAuthHandler"/>
</handlers>
For detail information : https://docs.wso2.com/display/ESB490/Securing+APIs
We currently support BasicAuth/usernametoken secured endpoints via the publisher..You may need to edit the axis2.xml for "HostnameVerifier" parameter in caseof handshake errors..Check the following link for further details.
http://docs.wso2.org/wiki/display/AM131/Adding+an+API

How to run svcutil.exe from behind authenticating proxy

I want to run the svcutil.exe tool to access a web service on the internet. Unfortunately, whenever I try, I get a bunch of errors that include the following message:
The request failed with HTTP status 407: Proxy Authentication Required ( The ISA Server requires authorization to fulfill the request. Access to the Web Proxy filter is denied.
As I have learned from this related post (with more details here), the problem is that I am sitting behind an authenticating proxy. That post explains that I need to edit the app.config file, but I can't figure out how to do that. I think I will use the /svcutilConfig:alternate_app.config switch, but I don't know how to construct a valid .config file to pass to that switch. What is the default app.config file that svcutil.exe uses?
Well, I think I have figured out the answer to my question:
It turns out that the default .config file used by svcutil.exe is called svcutil.exe.config, and (at least for me) it lives in this folder:
C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\bin
I decided to just edit that file directly (rather than fumble around with the /svcutilConfig switch). I needed Admin privileges to do so.
The final contents of that file looked like this:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<runtime>
<generatePublisherEvidence enabled="false" />
</runtime>
<system.net>
<defaultProxy useDefaultCredentials="true" />
</system.net>
</configuration>
(with the secret sauce buried in the <system.net> element.)
In order for this all to work, I had to start the Command Prompt as Administrator, navigate to the folder listed above, and run the svcutil.exe command from there.
Hope this helps some other poor soul who gets stuck in this mess! Thanks to #AndrewWebb for the clues that got me going!