Monday, April 3, 2017

Mutual SSL (Two way SSL) with WSO2 Enterprise Service Bus

This article gives a brief explanation about how we can make WSO2 ESB 5.0.0 for Mutual SSL Communication

Here is a  diagram which gives you a clear idea about how mutual SSL communication happens.


We can define 4 steps for mutual SSL communication.

(1) Client says hello and request for the Server certificate
(2) Server says hello with the certificate

That is the first handshake that happens , but when you enable mutual SSL there is a another handshake happens.

(3) Server says hello with requesting for the client certificate
(4) Client says hello back with the certificate

ONCE BOTH THE PARTIES TRUST EACH OTHER THEY ESTABLISH THE CONNECTION FOR FURTHER ACTIONS BETWEEN CLIENT AND THE SERVER.

FOR THE CLIENT TO TRUST THE SERVER

Client trust store should have the CA certificate / server certificate - signed by CA of the server

FOR SERVER TO TRUST THE CLIENT

 Server trust store should contain the CA certificate / client certificate - signed by CA of the client

Lets move on to a sample which shows how mutual SSL can be configured in WSO2 ESB 5.0.0

To demonstrate we have two ESB servers, one is acting as the client and other one is backend.

Steps need to be done in client ESB server


Navigate to wso2esb-5.0.0/repository/resources/security in client server ESB and use following commands

Step 1 : Create a Keystore


keytool -genkey -alias partner1 -keyalg RSA -keysize 4096 -keystore partner1_keystore.jks -dname "C=LK,ST=WP,L=Colombo,O=WSO2,OU=Carbon,CN=partner1.com" -storepass partner1 -keypass partner1 

Step 2 : Create a certificate signing request


keytool -certreq -alias partner1 -file partner1certreq.csr -keystore partner1_keystore.jks -storepass partner1 -keypass partner1


Step 3 : Create a private key using passphrase


openssl genrsa -des3 -passout pass:capassword -out ca.key 4096


Step 4 : Create the CA certificate using the private key


openssl req -new -x509 -extensions v3_ca -key ca.key -passin pass:capassword -out ca.crt -days 365 -subj "/C=LK/ST=WP/L=Colombo/O=WSO2/OU=Carbon/CN=caauthority"


Step 5 : Sign the CSR using CA Certificate


openssl x509 -req -days 365 -in partner1certreq.csr -CA ca.crt -CAkey ca.key -passin pass:capassword -set_serial 559823400 -out partner1signedcert.crt


Now we need to import the partner1signedcert.crt to created new keystore (partner1_keystore.jks). When importing as we have signed the certificate using our own created CA, first we need to import the CA certificate to keystore then only we can load the partner1signedcert.crt.

Step 6 : Import ca certificate to keystore


keytool -import -trustcacerts -alias ca1 -file ca.crt -keystore partner1_keystore.jks -storepass partner1


Step 7 :Import signed certificate to keystore


keytool -import -v -alias partner1 -file partner1signedcert.crt -keystore partner1_keystore.jks -keypass partner1 -storepass partner1


Step 8 :By using below command you can see whether the certificates are added to the keystore 


keytool -list -v -keystore partner1_keystore.jks -storepass partner1

Steps need to be done in Backend ESB server

Navigate to wso2esb-5.0.0/repository/resources/security in backend server ESB and use following commands

Step 1 : Create a Keystore


keytool -genkey -alias partner2 -keyalg RSA -keysize 4096 -keystore partner2_keystore.jks -dname "C=LK,ST=WP,L=Colombo,O=WSO2,OU=Carbon,CN=partner2.com" -storepass partner2 -keypass partner2


Step 2 : Create a certificate signing request


keytool -certreq -alias partner2 -file partner2certreq.csr -keystore partner2_keystore.jks -storepass partner2 -keypass partner2


Step 3 : Create a private key using passphrase


openssl genrsa -des3 -passout pass:capassword -out ca2.key 4096


Step 4 : Create the CA certificate using the private key


openssl req -new -x509 -extensions v3_ca -key ca2.key -passin pass:capassword -out ca2.crt -days 365 -subj "/C=LK/ST=WP/L=Colombo/O=WSO2/OU=Carbon/CN=caauthority"

Step 5 : Sign the CSR using CA Certificate


openssl x509 -req -days 365 -in partner2certreq.csr -CA ca2.crt -CAkey ca2.key -passin pass:capassword -set_serial 559823400 -out partner2signedcert.crt


Step 6 : Import ca certificate to keystore


keytool -import -trustcacerts -alias ca2 -file ca2.crt -keystore partner2_keystore.jks -storepass partner2


Step 7 : Import signed certificate to keystore


keytool -import -v -alias partner2 -file partner2signedcert.crt -keystore partner2_keystore.jks -keypass partner2 -storepass partner2


Now we have created two new keystores and added the two certificates generated to the keystores separately in client and server ESB servers.

Now we need to exchange the certificates between client and server inorder to create a mutual SSL communication. So we need to import ca.crt and partner1signedcert.crt to server ESB trust store and need to import ca2.crt and partner2signedcert.crt to client ESB trust store.

In Client Side


keytool -import -v -alias partner2 -file partner2signedcert.crt -keystore client-truststore.jks -keypass wso2carbon -storepass wso2carbon


keytool -import -trustcacerts -alias ca2 -file ca2.crt -keystore client-truststore.jks -storepass wso2carbon


In server side


keytool -import -trustcacerts -alias ca1 -file ca.crt -keystore client-truststore.jks -storepass wso2carbon


keytool -import -v -alias partner1 -file partner1signedcert.crt -keystore client-truststore.jks -keypass wso2carbon -storepass wso2carbon


That's all you need to do.  Restart the two server with after enable SSL logs.

To enable the SSL logs use below command:


sh wso2server.sh -Djavax.net.debug=all

Create a proxy in client side  ESB and provide the back end ESB server service url as endpoint url in send mediator of the created proxy in client ESB server.

Then once you send the request to client ESB, you can see that certificates are shared between two ESB servers and started the Mutual SSL communication between client and backend ESB servers.

Hope you got an idea about Mutual SSL communication WSO2 ESB.

Thanks.

Blogger Widgets