Ruwan, Where does the requirement of using different stores come from?
Andreas On Tue, Jul 21, 2009 at 03:15, Ruwan Linton<[email protected]> wrote: > > > On Tue, Jul 21, 2009 at 6:23 AM, Andreas Veithen <[email protected]> > wrote: >> >> On Tue, Jul 21, 2009 at 02:05, Ruwan Linton<[email protected]> wrote: >> > >> > >> > On Mon, Jul 20, 2009 at 10:19 PM, indika kumara <[email protected]> >> > wrote: >> >> >> >> I am agree with asankha , >> >> >> >> Requirement is to enable to represent multiple identities by synapse >> >> itself and also call to external services whose identities are >> >> different. >> >> For first requirement it may need to expose identities at proxy >> >> services >> >> level. For second requirement, it may need ability to specify and use >> >> multiple client certificates at endpoint level when calling different >> >> external services. >> >> >> >> Giving Multiple SSLContexts is the scalable solution. Specially, for >> >> the >> >> requirement one, using reactor will not be scalable. Even for second >> >> requirement. >> >> >> >> But, it seems in the current IOreactor implementation it is only >> >> possible >> >> to be given one SSLContext (with IOEventDispatch). >> >> >> >> Seems like we need a new IOEventDispatch implementation that take Map >> >> of >> >> SSLContexts (or composite IOEventDispatch) and then within method, >> >> >> >> public void connected (final IOSession session) >> >> >> >> Based on information on IOSession session, pick the correct SSLContext. >> >> I am not sure possibility of this, but Asankha or Oleg sure knows this. >> > >> > Asankha, Indika is correct on the above comment I guess... IOReactor has >> > one-to-one relation ship with the SSLContext, I think that is why >> > Hiranya >> > wanted multiple IOReactors to support this. >> > >> > Is there a mechanism where you can provide multiple SSLContexts to the >> > IOEventDispatcher?? I suggest we get the patch from Hiranya and improve >> > it >> > to support this scenario, since he has some working code already. WDYT? >> > >> > Thanks, >> > Ruwan >> > >> >> I don't think that you even need multiple SSLContexts. Choosing the >> client certificate is the responsibility of X509(Extended)KeyManager. >> Probably the requirement is already supported out-of-the-box by the >> default key manager implementation. If not, the option is to implement >> a custom version. > > If you need to provide the different certs through different stores > (different JKS files), I don't think the key manager can handle that, > because there is no way that the key manager can find different key stores > without the user (nhttp transport) feeding it the key store. > > Am I missing anything? > > Thanks, > Ruwan > >> >> >> >> >> Thanks >> >> Indika >> >> >> >> >> >> > >> >> > I guess the real use case is the ability to use multiple identity >> >> > certificates when communicating out. A usual use case is that one >> >> > organization would need to use an identity certificate A when talking >> >> > to >> >> > an >> >> > endpoint of Company A, and another identity certificate B when >> >> > talking >> >> > to an >> >> > endpoint of Company B etc, when using 2-way SSL. This does not >> >> > necessarily >> >> > require the support for multiple keystores, unless I have missed >> >> > something. >> >> > >> >> > I have not yet looked into details.. but I do not directly see the >> >> > need >> >> > for >> >> > multiple IO reactors to support this.. but just multiple SSLContexts. >> >> > >> >> > cheers >> >> > asankha >> >> > >> >> > -- >> >> > Asankha C. Perera >> >> > AdroitLogic, http://adroitlogic.org >> >> > >> >> > http://esbmagic.blogspot.com >> >> > >> >> > >> >> > >> >> > >> >> >> > >> > >> > >> > -- >> > Ruwan Linton >> > Technical Lead & Product Manager; WSO2 ESB; http://wso2.org/esb >> > WSO2 Inc.; http://wso2.org >> > email: [email protected]; cell: +94 77 341 3097 >> > blog: http://ruwansblog.blogspot.com >> > >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] >> > > > > -- > Ruwan Linton > Technical Lead & Product Manager; WSO2 ESB; http://wso2.org/esb > WSO2 Inc.; http://wso2.org > email: [email protected]; cell: +94 77 341 3097 > blog: http://ruwansblog.blogspot.com > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
