Integrate With Mutual Certificate Authentication based Service


There are many ways to secure a Service/API using different Authentication mechanisms. Mutual Certificate authentication(AKA: Client Certificate Authentication) is one of the ways to secure Service or API.

Recently I was trying to integrate with an API which is secured using Mutual Certificate Authentication. In this scenario, the backend service team gave me their certificate-based on PKCS#12.

When integrating this backend system with WSO2 Platform, we have to use 'Multi-HTTPS transport'. With this 'Multi-HTTPS transport', it will grant great flexibility to define different SSL profiles with separate trust stores and key stores for different IPs or hosts. This custom SSL profile can be implemented for Client to Synapse Runtime(Client --> ESB) or Synapse Runtime to Backend(ESB --> Backend). If it is Client to ESB, then you have to define custom SSL Profiles in the transportReceiver section.

In my use-case, it was for ESB to Backend. So I had to add custom SSL profiles into the transportSender section of the axis2.xml file. Since I have a PKCS#12 based certificate file, I don't need to convert it to JKS or anything.

Let's assume Mutual Certificate Authentication based backend API URL is https://backendhost.com/api/users. The Custom SSL profiles configuration in the axis2.xml(or senderprofiles.xml in WSO2 EI 7) is like below. 


<transportSender name="https" class="org.apache.synapse.transport.passthru.PassThroughHttpSSLSender">
	<parameter name="non-blocking" locked="false">true</parameter>
	<parameter name="keystore" locked="false">
		<KeyStore>
			<Location>repository/resources/security/wso2carbon.jks</Location>
			<Type>JKS</Type>
			<Password>wso2carbon</Password>
			<KeyPassword>wso2carbon</KeyPassword>
		</KeyStore>
	</parameter>
	<parameter name="truststore" locked="false">
		<TrustStore>
			<Location>repository/resources/security/client-truststore.jks</Location>
			<Type>JKS</Type>
			<Password>wso2carbon</Password>
		</TrustStore>
	</parameter>
	<parameter name="customSSLProfiles">
		<profile>
			<servers>backendhost.com:443</servers>
			<KeyStore>
				<Location>repository/resources/security/backendcertificate.p12</Location>
				<Type>PKCS12</Type>
				<Password>certificatePassword</Password>
				<KeyPassword>certificatePassword</KeyPassword>
			</KeyStore>
		</profile>			
	</parameter>
	<!--<parameter name="HostnameVerifier">DefaultAndLocalhost</parameter>-->
	<!--supports Strict|AllowAll|DefaultAndLocalhost or the default if none specified -->
</transportSender>

Docs:

Multi-HTTPS Transport -  WSO2 ESB/EI

Comments

Post a Comment

Popular posts from this blog

XSLT - Modify Date and DateTime value

If you want to perform date and time related opertions with XSLT 'date' or 'dateTime' values, you can use 'xs:yearMonthDuration' or 'xs:dayTimeDuration' function to achieve this. You can add or reduce years, months, date, hours or even minutes through those functions.  xs:yearMonthDuration For this function input value is year month duration and it should be passed in  ISO_8601 format n- the [n] is replaced by the value for each of the date and time elements P - The duration designator(for period). nY- the number of years. nM- the number of months. ex: xs:yearMonthDuration('P1Y2M') - 1 Year and 2 Months ex:  xs:yearMonthDuration('-P1Y2M')  - Negative 1 Year and 2 Months xs:dayTimeDuration For this function input value is day time duration and it also needs to be passed in  ISO_8601 format n- the [n] is replaced by the value for each of the date and time elements P - The duration designator(for period). nD- the
Read more

Yield Price Sri Lanka - Android Application

Image
" Yield Price Sri Lanka " is an Android based application which helps users to check Market Price Information using their mobile devices. This application concept is based on person X( will update his name after approvals) and I did slight modifications on the application to support in a low cost infrastructure. Using this " Yield Price Sri Lanka " application, you can check prices of various goods instantly, without going to the market. I am updating price information in Daily & Weekly basis according to the Colombo Manning Market prices. Initial application was developed to support English language only. With current latest version we are supporting English, Tamil and Sinhalese languages. This application will update price information in real time and when describing the application's back-end(server) architecture, it has developed to serve JSON based output with many concurrent requests without blocking any request. Within the mobile Application wh
Read more