我正在尝试使用类似于示例 #200 的 wso2esb,它公开了一个安全的 Web 服务并在调用另一个主机/端口上的不安全服务之前删除了安全标头。我能够做到这一点,甚至集成了验证器和密码回调处理程序,但我无法将我有此工作的安装复制到另一个系统或配置另一个系统以相同的方式工作。
我尝试从全新安装 3.0.1、4.0.3 和最近的 4.5.0 开始配置此代理,所有这些都具有相似的结果,即加载凭据或最近“恢复密钥”的安全错误。
我们拥有自己的 CA 证书,并向客户颁发使用该证书签名的证书,然后客户使用他们的私钥对 SOAP 进行加密和签名。我正在使用以下安全策略文件,并且在使用和不使用回调处理程序的情况下都进行了尝试。
在启用此代理服务的安全性后,我尝试通过将其粘贴到管理 GUI 中来引用此策略文件。
我已经尝试使用 3.0 版本,我在一台服务器上工作,4.0.3 和最近的 4.5.0 根据不同版本的 wso2esb 布局的更改根据需要调整 server.jks 密钥库的位置.
我非常感谢通过一系列步骤配置安全代理服务的帮助,这些步骤可能允许我在多个系统上运行。
提前致谢 !!
我的代理服务定义如下:
<?xml version="1.0" encoding="UTF-8"?>
<proxy xmlns="http://ws.apache.org/ns/synapse" name="secureService"
statistics="disable" trace="disable" transports="https,http">
<target>
<inSequence>
<header action="remove" name="wsse:Security" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"/>
</inSequence>
<endpoint>
<address statistics="disable" trace="disable" uri="http://192.168.55.201:8083/NotSecureEJB/RemoteService">
<timeout>
<duration>0</duration>
<action>discard</action>
</timeout>
<markForSuspension>
<retriesBeforeSuspension>0</retriesBeforeSuspension>
<retryDelay>0</retryDelay>
</markForSuspension>
<suspendOnFailure>
<initialDuration>0</initialDuration>
<maximumDuration>0</maximumDuration>
<progressionFactor>1.0</progressionFactor>
</suspendOnFailure>
</address>
</endpoint>
<outSequence>
<send/>
</outSequence>
</target>
<policy key="sec_policy"/>
<enableSec/>
通过以下方式从本地条目引用的安全策略:
<loccalEntry key="sec_policy" src="file:repository/resources/security/sec_policy.xml"/>
<wsp:Policy wsu:Id="SigEncr" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
<wsp:Policy>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128Rsa15/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:SymetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128/>
</wsp:Policy>
</sp:AlgorithmSuite>
</sp:SymetricBinding>
<sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefIssuerSerial/>
</wsp:Policy>
</sp:Wss10>
<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Timestamp/>
<sp:Body/>
</sp:SignedParts>
<sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body/>
</sp:EncryptedParts>
<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
<ramp:user>server</ramp:user>
<ramp:encryptionUser>useReqSigCert</ramp:encryptionUser>
<ramp:passwordCallbackClass>com.testing.PWCallback</ramp:passwordCallbackClass>
<ramp:policyValidatorCbClass>com.testing.CustomPolicyValidator</ramp:policyValidatorCbClass>
<ramp:encryptionSymAlgorithm>http://www.w3.org/2001/04/xmlenc#aes128-cbc</ramp:encryptionSymAlgorithm>
<ramp:encryptionKeyTransportAlgorithm>http://www.w3.org/2001/04/xmlenc#rsa-1_5</ramp:encryptionKeyTransportAlgorithm>
<ramp:signatureCrypto>
<ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.file">resources/security/server.jks</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">changeme</ramp:property>
</ramp:crypto>
</ramp:signatureCrypto>
<ramp:encryptionCypto>
<ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.file">resources/security/server.jks</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">changeme</ramp:property>
</ramp:crypto>
</ramp:encryptionCypto>
</ramp:RampartConfig>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>