Hi All, As per the discussions we had offline. I am going to secure the communication between Operations Center and Operations Center Agent.
We will use mutual authentication to secure the communication. So the signed certificates will be distributed on the both sides. To validate, we thought of using a (Axis2) handler in Operations Center Agent. But the Operations Center Agent Service is an admin service. It is needed to be authenticated via an authenticator. Basic Authenticator needs to have Username and Passwords in the header (So a valid user account has to be created in each server with admin privileges, which we want to avoid). There is a MutualSSLAuthenticator already available [1]. But it is totally dependent on some information send on SOAP header. In the Operations Center approach we are planning to access all the services in REST way. So we have to modify the MutualSSLAuthenticator to first look in to HTTP headers and then on SOAP headers. But if we are using MutualSSLAuthenticator, we will be adding a new hop to the authenticators chain. So additional validation step on all the messages. And if we use MutualSSLAuthenticator, we have to use a custom HTTP header to pass the information, like the username, to be used in the validation of the MutualSSLAuthenticator and to make the user logged in. (Again we have to have a valid user, which is we want to avoid) We can't just look for the availability of the custom header and mark it as authenticated, as it is not the generic implementation in MutualSSLAuthenticator. So we will have to implement a new custom authenticator for this. We can use the certificate itself to validate. If the certificate is available, consider it as a valid request. But we will have to use a field in the certificate (like "CN") or custom HTTP header to find the user. If not we will not be able to track from where the request came from. So this implementation also deviate from the generic MutualSSLAuthenticator. If we use a new custom authenticator for this scenario (check for the custom HTTP header, Certificate and mark the request as authenticated), it will solve the problem. But this will again be a additional hop in the authenticators chain. Any suggestions and feedback on $subject? [1] https://svn.wso2.org/repos/wso2/carbon/platform/branches/turing/components/authenticators/mutual-ssl-authenticator/4.2.0/src/main/java/org/wso2/carbon/identity/authenticator/mutualssl/MutualSSLAuthenticator.java Regards, *Jayanga Dissanayake* Senior Software Engineer WSO2 Inc. - http://wso2.com/ lean . enterprise . middleware email: [email protected] mobile: +94772207259
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
