In here I have given an example where ESB acting as the server. 1-way SSL requires only key store in it's configuration. For mutual SSL you need to configure both trust store and the key store. In ESB we can have 2 different SSL profiles to support the above mentioned scenario. One profile for hosts requiring only 1-way SSL and another profile for the host requiring mutual SSL.
How to configure SSL profiles in WSO2 ESB.
Open
<ESB_HOME>/repository/conf/Axis2/axis2.xml.
Edit <
transportReceiver>
configurations as follows. (If ESB is acting as the client you have to edit <
transportSender>
configurations to add
customSSLProfiles.)
<
transportReceiver
name
=
"multi-https"
class
=
"org.apache.synapse.transport.nhttp.HttpCoreNIOMultiSSLListener"
>
<
parameter
name
=
"port"
>8343</
parameter
>
<
parameter
name
=
"non-blocking"
>true</
parameter
>
<
parameter
name
=
"SSLProfiles"
>
<
profile
>
<
bindAddress
>localhost:9445, localhost:9446</
bindAddress
>
<
KeyStore
>
<
Location
>/path/to/keystore1.p12</
Location
>
<
Type
>PKCS12</
Type
>
<
Password
>key1</
Password
>
<
KeyPassword
>key1</
KeyPassword
>
</
KeyStore
>
</
profile
>
<
profile
>
<
bindAddress
>localhost:9455</
bindAddress
>
<
KeyStore
>
<
Location
>/path/to/keystore2.p12</
Location
>
<
Type
>JKS</
Type
>
<
Password
>test</
Password
>
<
KeyPassword
>test</
KeyPassword
>
</
KeyStore
>
<
TrustStore
>
<
Location
>/path/to/trustStore2.jks</
Location
>
<
Type
>JKS</
Type
>
<
Password
>test</
Password
>
</
TrustStore
>
<
SSLVerifyClient
>require</
SSLVerifyClient
>
</
profile
>
</
parameter
>
</
transportReceiver
>
As you can see 1st profile contains only key store. And it has 2 bind addresses. That means hosts running on localhost:9445 and localhost:9446 will use this profile for their SSL authentication.
2nd profile has both key store and trust store configurations. And also it has
<
SSLVerifyClient
>require</
SSLVerifyClient
>
parameter added to the configuration. That is used to enable mutual SSL. This profile will be used for host running on 9445 port. Like wise we can have multiple SSL profiles for different hosts and also we can have same profile for different hosts. This is useful when you have many proxy services or APIs running on your WSO2 ESB.
No comments:
Post a Comment