Search code examples
sslwso2wso2-esbwso2-enterprise-integratormutual-authentication

To enable Mutual SSL Authentication (2 way SSL) in WSO2 EI 6.X.X(Docker)


There is a requirement in which client app will accept only certificate based authentication, I believe this can be achieved by enabling mutual SSL Auth in WSO2 EI.

This above scenario will applicable for both Inbound (Client APP --> WSO2 EI)and Outbound Flow(WSO2 EI --> Client APP).

Steps followed in Local system for Testing purpose:

  • Generating keystore and self-signed certificate:

C:\Program Files\Java\jdk1.8.0_291\bin>keytool -genkey -keyalg RSA -alias eitest -keystore "C:\path_eiserver\repository\resources\security\eitest.jks"

  • Exporting certificate

C:\Program Files\Java\jdk1.8.0_291\bin>keytool -export -alias eitest -file "C:\path_eiserver\repository\resources\security\eitest_public_cert.cer" -keystore "C:\path_eiserver\\repository\resources\security\eitest.jks"

Post executing above mentioned each steps, i got below WARNING.

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore C:\ei_pathserver\repository\resources\security\eitest.jks -destkeystore C:\ei_pathserver\repository\resources\security\eitest.jks -deststoretype pkcs12".

Even though got above WARNING required files generated

requiredfiles

certificate

Can i ignore above WARNING? if YES what is the next step to make WSO2 EI REST API as secured with Mutual Authentication? if NO can i know further steps to be taken care?

References:

Ref link 1

Ref link 2

youtube referred

May I know the complete steps to achieve this Mutual Authentication in WSO2 EI?


Solution

  • You don't have to create new Keystores to enable MTLS. MTLS simply requires you to import the certificates that need to be validated.

    Enabling MTLS for Client EI connection

    Inorder to enable MTLS for the Client -> EI connection follow the steps below.

    1. Import the Clients Public certificate to WSO2's client-trustore.jks.
    2. Then in axis2.xml under the <transportReceiver name="https" class="org.apache.synapse.transport.passthru.PassThroughHttpSSLListener"> section add the following parameter.
    <parameter name="SSLVerifyClient">require</parameter>
    

    Note: If you add require all the connections coming to WSO2 will require MTLS validations, if you want to make MTLS validation optional you can add optional instead of require. When set to optional only if the Client sends its certificate MTLS validation will be performed.

    Enabling MTLS for EI and Backend connection

    In order to enable MTLS for the EI -> BE connection follow the steps below.

    You can either create a separate Keystore for the connection. Or you can simply point to the existing Keystore and the Trustore.

    1. First import the BE public cert into the Trustore you are using.
    2. Export the Public cert used in EI and import it to the BE Trustore.
    3. Now you can enable SSL dynamic profiles. Open axis2.xml and add the following to <transportSender name="https" class="org.apache.synapse.transport.passthru.PassThroughHttpSSLSender"> section.
    <parameter name="dynamicSSLProfilesConfig">
     <filePath>repository/conf/sslprofiles/sslprofiles.xml</filePath>
     <fileReadInterval>3600000</fileReadInterval>  
    </parameter>
    

    then create a file at repository/conf/sslprofiles/sslprofiles.xml and add the following content.

    <parameter name="customSSLProfiles">
     <profile>
      <servers>your_server_address(e.g: something.test.com)</servers>
      <KeyStore>
        <Location>repository/resources/security/yourks.jks</Location>
        <Type>JKS</Type>
        <Password>123456</Password>
        <KeyPassword>123456</KeyPassword>
       </KeyStore>
      <TrustStore>
        <Location>repository/resources /security/yourtruststore.jks</Location>
        <Type>JKS</Type>
       <Password>123456</Password>
      </TrustStore>
    </profile>
    </parameter>
    

    With the above configuration for the connections that are made to something.test.com MTLS will be applied.