我正在尝试使用类似于样本#200的wso2esb,它暴露了一个安全的Web服务,并在另一个主机/端口上调用不安全的服务之前删除了安全头。我能够做到这一点,甚至整合验证器和密码回调处理程序,但我无法将我有这个工作的安装复制到另一个系统或配置另一个系统以相同的方式工作。
我尝试从3.0.1,4.0.3和最近4.5.0的干净安装开始配置此代理,所有这些都具有类似的结果,即加载凭据或最近“恢复密钥”的安全错误。
我们拥有自己的CA证书,并向使用其私钥加密和签名SOAP的客户颁发使用该证书签名的证书。我正在使用以下安全策略文件,并在使用和不使用回调处理程序的情况下尝试过它。
我尝试在启用此代理服务的安全性后将其粘贴到管理GUI中,以引用此策略文件。
我已尝试使用3.0版本,我在一台服务器上工作,也使用4.0.3,最近一次使用4.5.0根据wso2esb布局的变化调整server.jks密钥库的位置不同的版本。
我非常感谢使用一系列步骤配置安全代理服务的帮助,这些步骤可能让我在多个系统上运行。
提前致谢!!
我的代理服务定义如下:
<?xml version="1.0" encoding="UTF-8"?>
<proxy xmlns="http://ws.apache.org/ns/synapse" name="secureService"
statistics="disable" trace="disable" transports="https,http">
<target>
<inSequence>
<header action="remove" name="wsse:Security" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"/>
</inSequence>
<endpoint>
<address statistics="disable" trace="disable" uri="http://192.168.55.201:8083/NotSecureEJB/RemoteService">
<timeout>
<duration>0</duration>
<action>discard</action>
</timeout>
<markForSuspension>
<retriesBeforeSuspension>0</retriesBeforeSuspension>
<retryDelay>0</retryDelay>
</markForSuspension>
<suspendOnFailure>
<initialDuration>0</initialDuration>
<maximumDuration>0</maximumDuration>
<progressionFactor>1.0</progressionFactor>
</suspendOnFailure>
</address>
</endpoint>
<outSequence>
<send/>
</outSequence>
</target>
<policy key="sec_policy"/>
<enableSec/>
通过以下方式从本地条目引用的安全策略:
<loccalEntry key="sec_policy" src="file:repository/resources/security/sec_policy.xml"/>
<wsp:Policy wsu:Id="SigEncr" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
<wsp:Policy>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128Rsa15/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:SymetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128/>
</wsp:Policy>
</sp:AlgorithmSuite>
</sp:SymetricBinding>
<sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefIssuerSerial/>
</wsp:Policy>
</sp:Wss10>
<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Timestamp/>
<sp:Body/>
</sp:SignedParts>
<sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body/>
</sp:EncryptedParts>
<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
<ramp:user>server</ramp:user>
<ramp:encryptionUser>useReqSigCert</ramp:encryptionUser>
<ramp:passwordCallbackClass>com.testing.PWCallback</ramp:passwordCallbackClass>
<ramp:policyValidatorCbClass>com.testing.CustomPolicyValidator</ramp:policyValidatorCbClass>
<ramp:encryptionSymAlgorithm>http://www.w3.org/2001/04/xmlenc#aes128-cbc</ramp:encryptionSymAlgorithm>
<ramp:encryptionKeyTransportAlgorithm>http://www.w3.org/2001/04/xmlenc#rsa-1_5</ramp:encryptionKeyTransportAlgorithm>
<ramp:signatureCrypto>
<ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.file">resources/security/server.jks</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">changeme</ramp:property>
</ramp:crypto>
</ramp:signatureCrypto>
<ramp:encryptionCypto>
<ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.file">resources/security/server.jks</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">changeme</ramp:property>
</ramp:crypto>
</ramp:encryptionCypto>
</ramp:RampartConfig>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>