I am trying to get the WSo2 ESB to proxy over to a WSDL based service. The service is hosted in a remote server and the server requires mutual SSL handshake. It seems that the WSO2 esb is not able to present a certificate while renegotiating. Has anyone else encountered this?
Please follow the steps given in the following blog post [1]
[1]http://www.soasecurity.org/2010/07/ssl-profiles-in-wso2-esb.html
WSO2 ESB has a file under repository/resources/security called client- truststore.jks. This file lists all the Certifying Authorities (CAs) that the ESB will recognise as valid when transacting over HTTPS with clients who have certificates verified by these CAs. Export service certificate and import it to "client- truststore.jks". I hope it help you.
Related
I have a scenario where an external app (not on Istio) is calling our services to get some data. Client sends in it's certificate in the WebRequestHandler that we validate as a way to authenticate the client. Can this be done at the ingress-gateway level?
Please note that I am also terminating the TLS traffic at the gateway and forwarding the request to the corresponding services on different pods based on http url-regex matching. I am also okay to validate the certificate in my service's code given it reaches the service as it is (excuse me for sounding naive here, I am very new to this).
Thank you!
If you want mutual TLS between an external service and Istio's Ingress Gateway then that's possible and is documented here: https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/
I have the following setup:
A self signed certificate for development purposes
An OWIN hosted Web API, deployed on a local Azure Service Fabric Cluster as a ASF service. The Web API uses HTTPS facilitated with the dev certificate in question.
A simple .net client application that calls the Web API. In that application the ServicePointManager.ServerCertificateValidationCallback method is set so it always returns true (since the CA is not trusted)
Both the client application and the Web API are on the same local development machine. The certificate is installed in that same machine on the "machine store"
Now I am able to make calls to the web api using Fiddler by providing the required client certificate. However when I try to do the same via .net code (be it RestSharp or WebRequest) the client certificate is not present in the RequestContext object on the server side. This result in an Unauthorized response. I do not think the problem is with the client code, the certificate is loaded correctly and assigned to the http client or request. Fiddler shows encrypted tunneling to the server. However the client certificate does not seem to be present at the server side.
I am at a complete loss regarding what am I missing that could cause this behavior. Any help will be deeply appreciated.
Install the certificate into the 'Local Machine/Trusted People'.
The server needs to already trust the certificate before it asks. The CertificateRequest message that it sends lists the acceptable CAs that can sign the client certificate. If the client certificate's signer isn't in that message, it can't send it.
How you accomplish that in your environment is left as an exercise for the reader. In general now that SSL certificates are available free there is little reason to indulge in the time costs and administrative inconveniences of self-signed certificates. IMHO there wasn't even if you were paying for a CA signature.
I had a problem when a service called another service over HTTPS and it couldn't setup a secure connection. My problem was that since the service is running as NETWORK SERVICE, it couldn't find the certificate, because it was looking in the localmachine/my certificate store.
When I was running from my web browser it was working fine because then, my browser found the certificate in the currectuser/my certificate store.
Add the certificate to the machine/my store and see if it helps.
I am trying to workout how to configure a CXF consumer to use https, but use basic authentication.
I presume we need to attach our certificate using the httpj:engine-factory but whenever I try and do that the server generated the follwing error:
javax.net.ssl.SSLHandshakeException: null cert chain
EDIT: I believe what is happening is that the server is requesting a client certificate, but the client does not send one. For "One Directional" SLL, I don't think the server should be asking for a certificate from the client.
How do I prevent the server from requesting a client certificate?
Any assistance greatly appreciated.
You need to install certificate in your JVM trust store. Please go through below link:
How to solve javax.net.ssl.SSLHandshakeException Error?
It turned out to be quite simple. In the httpj:engine-factory, there is a setting for client authentication.
<sec:clientAuthentication want="false" required="false"/>
This controls whether the server requests a certificate from the client. I had copied this from samples with Bi-Directional SSL and these values were set to true.
I am having an issue where service calls that I am making cannot validate server certificates presented by the TMG as part of connecting to the service. The certificate URLS from the TMG address are not reachable from the target servers. This is causing 30 second timeouts for new connections.
Is there a way to disable certificate revocation checks in Mule to avoid this issue?
If you're talking about Mule HTTP endpoints, then this would vary, if you're using http transport you can create a custom message dispatcher and allow http client to ignore the certificates, otherwise you can manually install the certificates in the keystore so you don't get SSL errors.
Is it possible to use mutual authentication (client SSL certificates) with WSO2 ESB? (I'm not talking about WS-Security.)
I see that it is possible to add custom keystores to the ESB but I could not find any information on how to specify what client key to use when connecting to a specific backend.
Yes. You can enable mutual authentication for ESB proxy service. Here you want to do small configuration to enable mutual authentication for all proxy service . You can edit axis2.xml file and change following property to "require"
<parameter name="SSLVerifyClient">require</parameter>
More details you can find here. However, if you are enabling mutual authentication for given set of proxy services, There is some more to do.. More details you can find here. There was an issue with older release in ESB. therefore you need some patches to install. but with 4.7.0 and 4.8.0 (next release). there have been fixed.
It is actually quite simple to set up mutual SSL authentication between the ESB and a back-end server. This requires configuration of the back-end server as well. Because the ESB serves as a 'client' when initiating a connection with the back-end, the back-end server is responsible for requesting the 'mutual' SSL instead of one-way SSL. See this nice mutual SSL article for reference [1].
In order to successfully use mutual SSL with a back-end server,
Load the back-end server's public certificate into the default
truststore, which is located in: repository/resources/security/client-truststore.jks (That's it!
That's the only change necessary on the WSO2 ESB side.)
Load the public certificate from the WSO2 keystore into the back-end server's
keystore.
Configure the back-end server to request mutual SSL.
If you're using a CA certificate instead of the default self-signed certificate, skip step 2.
Cheers,
Colin
[1] http://www.codeproject.com/Articles/326574/An-Introduction-to-Mutual-SSL-Authentication