Here is a diagram which gives you a clear idea about how mutual SSL communication happens.
We can define 4 steps for mutual SSL communication.
(1) Client says hello and request for the Server certificate
(2) Server says hello with the certificate
That is the first handshake that happens , but when you enable mutual SSL there is a another handshake happens.
(3) Server says hello with requesting for the client certificate
(4) Client says hello back with the certificate
ONCE BOTH THE PARTIES TRUST EACH OTHER THEY ESTABLISH THE CONNECTION FOR FURTHER ACTIONS BETWEEN CLIENT AND THE SERVER.
FOR THE CLIENT TO TRUST THE SERVER
Client trust store should have the CA certificate / server certificate - signed by CA of the server
FOR SERVER TO TRUST THE CLIENT
Server trust store should contain the CA certificate / client certificate - signed by CA of the client
Lets move on to a sample which shows how mutual SSL can be configured in WSO2 ESB 5.0.0
To demonstrate we have two ESB servers, one is acting as the client and other one is backend.Steps need to be done in client ESB server
Navigate to wso2esb-5.0.0/repository/resources/security in client server ESB and use following commands
Step 1 : Create a Keystore
keytool -genkey -alias partner1 -keyalg RSA -keysize 4096 -keystore partner1_keystore.jks -dname "C=LK,ST=WP,L=Colombo,O=WSO2,OU=Carbon,CN=partner1.com" -storepass partner1 -keypass partner1
Step 2 : Create a certificate signing request
keytool -certreq -alias partner1 -file partner1certreq.csr -keystore partner1_keystore.jks -storepass partner1 -keypass partner1
Step 3 : Create a private key using passphrase
openssl genrsa -des3 -passout pass:capassword -out ca.key 4096
Step 4 : Create the CA certificate using the private key
openssl req -new -x509 -extensions v3_ca -key ca.key -passin pass:capassword -out ca.crt -days 365 -subj "/C=LK/ST=WP/L=Colombo/O=WSO2/OU=Carbon/CN=caauthority"
Step 5 : Sign the CSR using CA Certificate
openssl x509 -req -days 365 -in partner1certreq.csr -CA ca.crt -CAkey ca.key -passin pass:capassword -set_serial 559823400 -out partner1signedcert.crt
Now we need to import the partner1signedcert.crt to created new keystore (partner1_keystore.jks). When importing as we have signed the certificate using our own created CA, first we need to import the CA certificate to keystore then only we can load the partner1signedcert.crt.
Step 6 : Import ca certificate to keystore
keytool -import -trustcacerts -alias ca1 -file ca.crt -keystore partner1_keystore.jks -storepass partner1
Step 7 :Import signed certificate to keystore
keytool -import -v -alias partner1 -file partner1signedcert.crt -keystore partner1_keystore.jks -keypass partner1 -storepass partner1
Step 8 :By using below command you can see whether the certificates are added to the keystore
keytool -list -v -keystore partner1_keystore.jks -storepass partner1
Steps need to be done in Backend ESB server
Navigate to wso2esb-5.0.0/repository/resources/security in backend server ESB and use following commands
Step 1 : Create a Keystore
keytool -genkey -alias partner2 -keyalg RSA -keysize 4096 -keystore partner2_keystore.jks -dname "C=LK,ST=WP,L=Colombo,O=WSO2,OU=Carbon,CN=partner2.com" -storepass partner2 -keypass partner2
Step 2 : Create a certificate signing request
keytool -certreq -alias partner2 -file partner2certreq.csr -keystore partner2_keystore.jks -storepass partner2 -keypass partner2
Step 3 : Create a private key using passphrase
openssl genrsa -des3 -passout pass:capassword -out ca2.key 4096
Step 4 : Create the CA certificate using the private key
openssl req -new -x509 -extensions v3_ca -key ca2.key -passin pass:capassword -out ca2.crt -days 365 -subj "/C=LK/ST=WP/L=Colombo/O=WSO2/OU=Carbon/CN=caauthority"
Step 5 : Sign the CSR using CA Certificate
openssl x509 -req -days 365 -in partner2certreq.csr -CA ca2.crt -CAkey ca2.key -passin pass:capassword -set_serial 559823400 -out partner2signedcert.crt
Step 6 : Import ca certificate to keystore
keytool -import -trustcacerts -alias ca2 -file ca2.crt -keystore partner2_keystore.jks -storepass partner2
Step 7 : Import signed certificate to keystore
keytool -import -v -alias partner2 -file partner2signedcert.crt -keystore partner2_keystore.jks -keypass partner2 -storepass partner2
Now we have created two new keystores and added the two certificates generated to the keystores separately in client and server ESB servers.
Now we need to exchange the certificates between client and server inorder to create a mutual SSL communication. So we need to import ca.crt and partner1signedcert.crt to server ESB trust store and need to import ca2.crt and partner2signedcert.crt to client ESB trust store.
In Client Side
keytool -import -v -alias partner2 -file partner2signedcert.crt -keystore client-truststore.jks -keypass wso2carbon -storepass wso2carbon
keytool -import -trustcacerts -alias ca2 -file ca2.crt -keystore client-truststore.jks -storepass wso2carbon
In server side
keytool -import -trustcacerts -alias ca1 -file ca.crt -keystore client-truststore.jks -storepass wso2carbon
keytool -import -v -alias partner1 -file partner1signedcert.crt -keystore client-truststore.jks -keypass wso2carbon -storepass wso2carbon
That's all you need to do. Restart the two server with after enable SSL logs.
To enable the SSL logs use below command:
sh wso2server.sh -Djavax.net.debug=all
Create a proxy in client side ESB and provide the back end ESB server service url as endpoint url in send mediator of the created proxy in client ESB server.
Then once you send the request to client ESB, you can see that certificates are shared between two ESB servers and started the Mutual SSL communication between client and backend ESB servers.
Hope you got an idea about Mutual SSL communication WSO2 ESB.
Thanks.
No comments:
Post a Comment