Search code examples
wso2esbws-securitywso2-esb

How to enable Outgoing WS-Security in WSO2 ESB 4.9.0?


I need to create a proxy in the WSO2 ESB (4.9.0) to expose a secured backend webservice as an in-secured webservice, just like this image:

Exposing WS-Security secured backend WS as a plain WS

I want to use "Sign & Encrypt with X.509 authentication" WS-Security Policy.

This is my proxy "source view":

<proxy xmlns="http://ws.apache.org/ns/synapse"
       name="OutgoingSecurityProxy"
       transports="http,https"
       statistics="enable"
       trace="enable"
       startOnLoad="true">
   <target>
      <inSequence>
         <send>
            <endpoint>
               <address uri="http://mylocalIP:80/mock_serverTest">
                  <enableAddressing/>
                  <enableSec policy="SecurityPolicyOut"/>
               </address>
            </endpoint>
         </send>
      </inSequence>
      <outSequence>
         <header xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
                 name="wsse:Security"
                 action="remove"/>
         <send/>
      </outSequence>
   </target>
   <publishWSDL uri="http://mylocalIP:80/mock_serverTest?WSDL"/>
   <description/>
</proxy>

and this is the used security policy loaded as a "Local Entry" (It's the default policy for a sign & encrypt - x.509 auth scenario, only changed the info relative to keystores).

<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="SigEncr">
      <wsp:ExactlyOne>
         <wsp:All>
            <sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
               <wsp:Policy>
                  <sp:InitiatorToken>
                     <wsp:Policy>
                        <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
                           <wsp:Policy>
                              <sp:RequireThumbprintReference/>
                              <sp:WssX509V3Token10/>
                           </wsp:Policy>
                        </sp:X509Token>
                     </wsp:Policy>
                  </sp:InitiatorToken>
                  <sp:RecipientToken>
                     <wsp:Policy>
                        <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
                           <wsp:Policy>
                              <sp:RequireThumbprintReference/>
                              <sp:WssX509V3Token10/>
                           </wsp:Policy>
                        </sp:X509Token>
                     </wsp:Policy>
                  </sp:RecipientToken>
                  <sp:AlgorithmSuite>
                     <wsp:Policy>
                        <sp:Basic256/>
                     </wsp:Policy>
                  </sp:AlgorithmSuite>
                  <sp:Layout>
                     <wsp:Policy>
                        <sp:Strict/>
                     </wsp:Policy>
                  </sp:Layout>
                  <sp:IncludeTimestamp/>
                  <sp:OnlySignEntireHeadersAndBody/>
               </wsp:Policy>
            </sp:AsymmetricBinding>
            <sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
               <wsp:Policy>
                  <sp:MustSupportRefKeyIdentifier/>
                  <sp:MustSupportRefIssuerSerial/>
                  <sp:MustSupportRefThumbprint/>
                  <sp:MustSupportRefEncryptedKey/>
                  <sp:RequireSignatureConfirmation/>
               </wsp:Policy>
            </sp:Wss11>
            <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
               <wsp:Policy>
                  <sp:MustSupportRefKeyIdentifier/>
                  <sp:MustSupportRefIssuerSerial/>
               </wsp:Policy>
            </sp:Wss10>
            <sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
               <sp:Body/>
            </sp:SignedParts>
            <sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
               <sp:Body/>
            </sp:EncryptedParts>
         </wsp:All>
      </wsp:ExactlyOne>
      <rampart:RampartConfig xmlns:rampart="http://ws.apache.org/rampart/policy">
         <rampart:user>service</rampart:user>
         <rampart:encryptionUser>useReqSigCert</rampart:encryptionUser>
         <rampart:timestampPrecisionInMilliseconds>true</rampart:timestampPrecisionInMilliseconds>
         <rampart:timestampTTL>300</rampart:timestampTTL>
         <rampart:timestampMaxSkew>300</rampart:timestampMaxSkew>
         <rampart:timestampStrict>false</rampart:timestampStrict>
         <rampart:tokenStoreClass>org.wso2.carbon.security.util.SecurityTokenStore
        </rampart:tokenStoreClass>
         <rampart:nonceLifeTime>300</rampart:nonceLifeTime>
         <rampart:encryptionCrypto>
            <rampart:crypto cryptoKey="org.wso2.carbon.security.crypto.privatestore" provider="org.wso2.carbon.security.util.ServerCrypto">
               <rampart:property name="org.wso2.carbon.security.crypto.alias">client</rampart:property>
               <rampart:property name="org.wso2.carbon.security.crypto.privatestore">mykeystore.jks</rampart:property>
               <rampart:property name="org.wso2.stratos.tenant.id">-1234</rampart:property>
               <rampart:property name="org.wso2.carbon.security.crypto.truststores">mykeystore.jks</rampart:property>
               <rampart:property name="rampart.config.user">service</rampart:property>
            </rampart:crypto>
         </rampart:encryptionCrypto>
         <rampart:signatureCrypto>
            <rampart:crypto cryptoKey="org.wso2.carbon.security.crypto.privatestore" provider="org.wso2.carbon.security.util.ServerCrypto">
               <rampart:property name="org.wso2.carbon.security.crypto.alias">service</rampart:property>
               <rampart:property name="org.wso2.carbon.security.crypto.privatestore">mykeystore.jks</rampart:property>
               <rampart:property name="org.wso2.stratos.tenant.id">-1234</rampart:property>
               <rampart:property name="org.wso2.carbon.security.crypto.truststores">mykeystore.jks</rampart:property>
               <rampart:property name="rampart.config.user">service</rampart:property>
            </rampart:crypto>
         </rampart:signatureCrypto>
      </rampart:RampartConfig>
   </wsp:Policy>

The backend "secured" WS (http://mylocalIP:80/mock_serverTest) is a ws-security enabled "mock" service of a plain WS created with SoapUI running in my desktop machine.

When I try to invoke the ESB service with SOAPUI I get the error "org.apache.axis2.AxisFault: Password CallbackHandler not specified in rampart configuration policy or the CallbackHandler instance not available in the MessageContext" :

16:17:45,465 [-] [PassThroughMessageProcessor-1]  WARN TRACE_LOGGER Executing fault handler due to exception encountered
16:17:45,466 [-] [PassThroughMessageProcessor-1]  WARN TRACE_LOGGER ERROR_CODE : 0
16:17:45,466 [-] [PassThroughMessageProcessor-1]  WARN TRACE_LOGGER ERROR_MESSAGE : Unexpected error during sending message out
16:17:45,471 [-] [PassThroughMessageProcessor-1]  WARN TRACE_LOGGER ERROR_DETAIL : org.apache.synapse.SynapseException: Unexpected error during sending message out
    at org.apache.synapse.core.axis2.Axis2Sender.handleException(Axis2Sender.java:247)
    at org.apache.synapse.core.axis2.Axis2Sender.sendOn(Axis2Sender.java:91)
    at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.send(Axis2SynapseEnvironment.java:461)
    at org.apache.synapse.endpoints.AbstractEndpoint.send(AbstractEndpoint.java:372)
    at org.apache.synapse.endpoints.AddressEndpoint.send(AddressEndpoint.java:65)
    at org.apache.synapse.mediators.builtin.SendMediator.mediate(SendMediator.java:105)
    at org.apache.synapse.mediators.AbstractListMediator.mediate(AbstractListMediator.java:81)
    at org.apache.synapse.mediators.AbstractListMediator.mediate(AbstractListMediator.java:48)
    at org.apache.synapse.mediators.base.SequenceMediator.mediate(SequenceMediator.java:149)
    at org.apache.synapse.core.axis2.ProxyServiceMessageReceiver.receive(ProxyServiceMessageReceiver.java:185)
    at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180)
    at org.apache.synapse.transport.passthru.ServerWorker.processEntityEnclosingRequest(ServerWorker.java:395)
    at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:142)
    at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at java.lang.Thread.run(Thread.java:745)
Caused by: org.apache.axis2.AxisFault: Password CallbackHandler not specified in rampart configuration policy or the CallbackHandler instance not available in the MessageContext
    at org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:76)
    at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
    at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
    at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:261)
    at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:426)
    at org.apache.synapse.core.axis2.DynamicAxisOperation$DynamicOperationClient.send(DynamicAxisOperation.java:185)
    at org.apache.synapse.core.axis2.DynamicAxisOperation$DynamicOperationClient.executeImpl(DynamicAxisOperation.java:167)
    at org.apache.axis2.client.OperationClient.execute(OperationClient.java:149)
    at org.apache.synapse.core.axis2.Axis2FlexibleMEPClient.send(Axis2FlexibleMEPClient.java:542)
    at org.apache.synapse.core.axis2.Axis2Sender.sendOn(Axis2Sender.java:79)
    ... 15 more
Caused by: org.apache.rampart.RampartException: Password CallbackHandler not specified in rampart configuration policy or the CallbackHandler instance not available in the MessageContext
    at org.apache.rampart.builder.BindingBuilder.getSignatureBuilder(BindingBuilder.java:312)
    at org.apache.rampart.builder.BindingBuilder.getSignatureBuilder(BindingBuilder.java:265)
    at org.apache.rampart.builder.AsymmetricBindingBuilder.doSignature(AsymmetricBindingBuilder.java:761)
    at org.apache.rampart.builder.AsymmetricBindingBuilder.doSignBeforeEncrypt(AsymmetricBindingBuilder.java:457)
    at org.apache.rampart.builder.AsymmetricBindingBuilder.build(AsymmetricBindingBuilder.java:97)
    at org.apache.rampart.MessageBuilder.build(MessageBuilder.java:147)
    at org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:65)
    ... 24 more

Any clues?

Thanks in advance!


Solution

  • The link above (sample 100 of WSO2 ESB) doesn't implement a password callback handler. You need to create a required password callback handler for your sign and encrypt policy. Here information how to create a PWCB http://pathberiya.blogspot.co.uk/2010/02/how-to-create-password-callback-class.html

    Regards.