two-way ssl with backend service failing

Wed, 10 Dec 2014 18:21:08 -0800 

​​
Hello,

Apologies for a long message. I am having issues creating synapse proxy for
a (WCF) SOAP service that requires client certificate. (two-way SSL)

*java version "1.7.0_71"synapse-2.1.0*

*It's WSDL contains - *
...
                    <sp:TransportToken>
                        <wsp:Policy>
                            <sp:HttpsToken RequireClientCertificate="true"/>
                        </wsp:Policy>
                    </sp:TransportToken>
...
            <wsaw:UsingAddressing/>
...

*My Proxy definition is - *
        <inSequence>
            <send>
                <endpoint>
                    <address uri="https://*service url*">
                        <enableSec policy="policy/attsvc_policy.xml"/>
                        <enableAddressing/>
                    </address>
                </endpoint>
            </send>
        </inSequence>

*Policy File attsvc_policy.xml is -*
...            <ramp:RampartConfig xmlns:ramp="
http://ws.apache.org/rampart/policy";>
                <ramp:sslConfig>
                    <ramp:property
name="javax.net.ssl.keyStoreType">JKS</ramp:property>
                    <ramp:property
name="javax.net.ssl.keyStore">C:\\apache\\synapse-2.1.0\\lib\\clientcert.jks</ramp:property>
                    <ramp:property
name="javax.net.ssl.keyStorePassword">password</ramp:property>
                    <ramp:property
name="javax.net.ssl.trustStoreType">JKS</ramp:property>
                    <ramp:property
name="javax.net.ssl.trustStore">C:\\apache\\synapse-2.1.0\\lib\\trust.jks</ramp:property>
                    <ramp:property
name="javax.net.ssl.trustStorePassword">password</ramp:property>
                </ramp:sslConfig>
            </ramp:RampartConfig>...

*In axis2.xml transport sender config uses the same keystore clientcert.jks*
(which has the private key required by server)
    <transportSender name="https"
class="org.apache.synapse.transport.nhttp.HttpCoreNIOSSLSender">
        <parameter name="non-blocking" locked="false">false</parameter>
        <parameter name="warnOnHTTP500" locked="false">*</parameter>
        <parameter name="HttpsProtocols">SSLv3</parameter> <!-- added to
enforce SSLv3 use instead of TLS. It doesn't work either way -->
        <parameter name="keystore" locked="false">
            <KeyStore>
                <Location>lib/*clientcert.jks*</Location>
                <Type>JKS</Type>
                <Password>password</Password>
                <KeyPassword>password</KeyPassword>
            </KeyStore>
        </parameter>
        <parameter name="truststore" locked="false">
            <TrustStore>
                <Location>*lib/trust.jks*</Location>
                <Type>JKS</Type>
                <Password>password</Password>
            </TrustStore>
        </parameter>
        <parameter name="HostnameVerifier">AllowAll</parameter>
        <parameter name="OmitSOAP12Action">true</parameter>
    </transportSender>

*Synapse.properties file sets the same keystore *
keystore.identity.location=lib/clientcert.jks
keystore.identity.store.password=password
keystore.identity.type=JKS
keystore.identity.key.password=password

*Just to be safe I tried adding following wrapper.conf -*
wrapper.java.additional.7=-Djavax.net.ssl.keyStore=/apache/synapse-2.1.0/lib/clientcert.jks
wrapper.java.additional.8=-Djavax.net.ssl.keyStoreType=JKS
wrapper.java.additional.9=-Djavax.net.ssl.keyStorePassword=password

However I keep getting timeout while communicating with server. On backend
SOAP Service (IIS) side there is an error "The I/O operation has been
aborted because of either a thread exit or an application request.
(0x800703e3)".

*If I use blocking transport sender
(org.apache.axis2.transport.http.CommonsHTTPTransportSender) I get HTTP
403-*
org.apache.axis2.AxisFault: Transport error: 403 Error: Forbidden
        at
org.apache.axis2.transport.http.HTTPSender.handleResponse(HTTPSender.java:310)
        at
org.apache.axis2.transport.http.HTTPSender.sendViaPost(HTTPSender.java:194)
        at
org.apache.axis2.transport.http.HTTPSender.send(HTTPSender.java:75)
        at
org.apache.axis2.transport.http.CommonsHTTPTransportSender.writeMessageWithCommons(CommonsHTTPTransportSender.java:404)
        at
org.apache.axis2.transport.http.CommonsHTTPTransportSender.invoke(CommonsHTTPTransportSender.java:231)

Backend SOAP Service uses self signed certificate and I have imported it's
certificate chain in <synapse home>/lib/trust.jks.(this is the trust store
used by transport sender)

Direct request to the backend service using SOAPUI and same keystore
clientcert.jks is successful. On the backend SOAP service trace I do see
proper SOAP request decrypted so I think the service is receiving correct
certificate from the proxy. Also SOAP Message received by Service from
direct SOAPUI request and proxy request is identical.

Is there any configuration I am missing? How do I get the two-way SSL with
backend service working ? Appreciate your help.

-- 
Regards,
  Vish

Reply via email to