Hi, >From my point of view this is OK, as far as you can restrict the access with the certificates. Regarding the performance, as far as your client side (one who talks to synapse) and the server side (one to whom synapse is supposed to talk) supports HTTP/1.1 with KeepAlive, it is not going to be a big issue, because the established connection between the client and synapse or the synapse and the server will be reused so that the handshake overhead and the rest of the SSL overhead will be there only for the connection establishment request, because synapse nhttp transport is fully asynchronous and supports KeepAlive for SSL.
Alternatively from the applications POV, it is better to have application level security like WS-Security over the exposed web services based on the policy, as you already understands. Hope this helps... Thanks, Ruwan On Thu, Jun 11, 2009 at 12:07 AM, segal96 <[email protected]> wrote: > > Using the StockQuoteclient/server samples, I have setup Synapse for 2-way > SSL > (Client cert) between the client and Synapse, and also between Synapse and > the backend web service. I've setup the truststores so that only trusted > web clients can connect with Synapse, and only Synapse can connect with the > backend web services. > > I am relatively new to SOA/web services, and I wanted to know if from the > experts if this seems like a viable approach. I do understand the > tradeoffs > between transport & message level security. Also, I have an existing PKI > available, so no worries with certificate management. Is there anything > else I need to consider with this design??? E.g. performance? > -- > View this message in context: > http://www.nabble.com/Synapse-2-way-SSL-w--Client-Certificates-tp23968440p23968440.html > Sent from the Synapse - Dev mailing list archive at Nabble.com. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > -- Ruwan Linton Senior Software Engineer & Product Manager; WSO2 ESB; http://wso2.org/esb WSO2 Inc.; http://wso2.org email: [email protected]; cell: +94 77 341 3097 blog: http://ruwansblog.blogspot.com
