On Tue, Jul 21, 2009 at 02:05, Ruwan Linton<[email protected]> wrote: > > > On Mon, Jul 20, 2009 at 10:19 PM, indika kumara <[email protected]> > wrote: >> >> I am agree with asankha , >> >> Requirement is to enable to represent multiple identities by synapse >> itself and also call to external services whose identities are different. >> For first requirement it may need to expose identities at proxy services >> level. For second requirement, it may need ability to specify and use >> multiple client certificates at endpoint level when calling different >> external services. >> >> Giving Multiple SSLContexts is the scalable solution. Specially, for the >> requirement one, using reactor will not be scalable. Even for second >> requirement. >> >> But, it seems in the current IOreactor implementation it is only possible >> to be given one SSLContext (with IOEventDispatch). >> >> Seems like we need a new IOEventDispatch implementation that take Map of >> SSLContexts (or composite IOEventDispatch) and then within method, >> >> public void connected (final IOSession session) >> >> Based on information on IOSession session, pick the correct SSLContext. >> I am not sure possibility of this, but Asankha or Oleg sure knows this. > > Asankha, Indika is correct on the above comment I guess... IOReactor has > one-to-one relation ship with the SSLContext, I think that is why Hiranya > wanted multiple IOReactors to support this. > > Is there a mechanism where you can provide multiple SSLContexts to the > IOEventDispatcher?? I suggest we get the patch from Hiranya and improve it > to support this scenario, since he has some working code already. WDYT? > > Thanks, > Ruwan >
I don't think that you even need multiple SSLContexts. Choosing the client certificate is the responsibility of X509(Extended)KeyManager. Probably the requirement is already supported out-of-the-box by the default key manager implementation. If not, the option is to implement a custom version. >> >> Thanks >> Indika >> >> >> > >> > I guess the real use case is the ability to use multiple identity >> > certificates when communicating out. A usual use case is that one >> > organization would need to use an identity certificate A when talking to >> > an >> > endpoint of Company A, and another identity certificate B when talking >> > to an >> > endpoint of Company B etc, when using 2-way SSL. This does not >> > necessarily >> > require the support for multiple keystores, unless I have missed >> > something. >> > >> > I have not yet looked into details.. but I do not directly see the need >> > for >> > multiple IO reactors to support this.. but just multiple SSLContexts. >> > >> > cheers >> > asankha >> > >> > -- >> > Asankha C. Perera >> > AdroitLogic, http://adroitlogic.org >> > >> > http://esbmagic.blogspot.com >> > >> > >> > >> > >> > > > > -- > Ruwan Linton > Technical Lead & Product Manager; WSO2 ESB; http://wso2.org/esb > WSO2 Inc.; http://wso2.org > email: [email protected]; cell: +94 77 341 3097 > blog: http://ruwansblog.blogspot.com > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
