问题
Is it possible to use mutual authentication (client SSL certificates) with WSO2 ESB? (I'm not talking about WS-Security.)
I see that it is possible to add custom keystores to the ESB but I could not find any information on how to specify what client key to use when connecting to a specific backend.
回答1:
Yes. You can enable mutual authentication for ESB proxy service. Here you want to do small configuration to enable mutual authentication for all proxy service . You can edit axis2.xml file and change following property to "require"
<parameter name="SSLVerifyClient">require</parameter>
More details you can find here. However, if you are enabling mutual authentication for given set of proxy services, There is some more to do.. More details you can find here. There was an issue with older release in ESB. therefore you need some patches to install. but with 4.7.0 and 4.8.0 (next release). there have been fixed.
回答2:
It is actually quite simple to set up mutual SSL authentication between the ESB and a back-end server. This requires configuration of the back-end server as well. Because the ESB serves as a 'client' when initiating a connection with the back-end, the back-end server is responsible for requesting the 'mutual' SSL instead of one-way SSL. See this nice mutual SSL article for reference [1].
In order to successfully use mutual SSL with a back-end server,
- Load the back-end server's public certificate into the default truststore, which is located in: repository/resources/security/client-truststore.jks (That's it! That's the only change necessary on the WSO2 ESB side.)
- Load the public certificate from the WSO2 keystore into the back-end server's keystore.
- Configure the back-end server to request mutual SSL.
If you're using a CA certificate instead of the default self-signed certificate, skip step 2.
Cheers, Colin
[1] http://www.codeproject.com/Articles/326574/An-Introduction-to-Mutual-SSL-Authentication
来源:https://stackoverflow.com/questions/20215809/wso2-esb-proxy-backend-with-mutual-authentication