This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Applying Security to a Proxy Service

Owned by Former user (Deleted)
Last updated: May 17, 2018
10 min read

The steps below demonstrate how you can apply security to a proxy service via WSO2 EI Tooling.

Prerequisites

Step 1: Creating a registry resource project

First, create a registry resource project in ESB tooling. We will use this project to store the security policy (which is a registry resource).

  1. Open the Developer Studio Dashboard (click Developer Studio > Open Dashboard) and click Registry Resources Project.

  2. Enter a name for the project and click Next.
    enter details of the new project
  3. Enter the Maven information about the project and click Finish.
    enter maven information about the project
  4. The new project will be listed in the project explorer as shown below.

Step 2: Creating the security policy file

Follow the instructions given below to create a WS-Policy resource in your registry project. This will be your security policy file.

  1. Right-click the registry resource project in the left navigation panel, click New, and then click Registry Resource. This will open the New Registry Resource window.
    right click and create registry resource
  2. Select the From existing template option as shown below and click Next.
    create from existing template
  3. Enter a resource name and select the WS-Policy template along with the preferred registry path.
  4. Click Finish. The policy file is now listed in the project explorer as shown below

  5. Double-click the policy file to open the file. Note that you get a Design View and Source View of the policy.

  6. Let's use the Design View to enable the required security scenario. For example, enable the Sign and Encyrpt security scenario as shown below.

    Click the icon next to the scenario to get details of the scenario.


  7. You can provide also provide encryption properties, signature properties, and advanced rampart configurations as shown below.

Specifying role-based access?

For certain scenarios, you can specify user roles. After you select the scenario, scroll to the right to see the User Roles button.

Either define the user roles inline or retrieve the user roles from the server.

By default, the role names are not case sensitive. If you want to make them case sensitive, add the following property under the <AuthorizationManager> configuration in the user-mgt.xml file:


<Property name= "CaseSensitiveAuthorizationRules"> true </Property>

Step 3: Add a proxy service

You can either create a new proxy service, or import an already created proxy service to your workspace.

Follow the steps given below.

  1. Open the Developer Studio Dashboard (Click Developer Studio -> Open Dashboard).

  2. Click Proxy Service to open the New Proxy Service dialog. Let's import the proxy service you downloaded previously.

    Alternatively, you can create a new proxy service.

  3. Click Import Poxy Service and Next. Enter values for the following fields:

    Proxy Service Configuration FileBrowse for the proxy service file that you downloaded previously.
    Save in

    The file you import should be saved in an ESB project in your Tooling workspace. To create a new ESB project:

    1. Click Create New ESB Project.
    2. Select New ESB Config Project.
    3. Enter a project name. For example, enter 'ESB_Project' as the project name.
    4. Click Finish. The new ESB_Project is added to the Save in field.
  4. Click Finish. You will now see a new ESB_Project folder (with the proxy service) in your project explorer.

Step 4: Add the security policy to the proxy service

You can now apply the security policy to the proxy service. Follow the steps given below.

  1. Double-click the proxy service on the project explorer to open the file.
  2. Select the Properties tab shown below and set the Security Enabled property to 'true'.
  3. Select the Browse icon for the Service Policies field. In the dialog box that opens, create a new record and click the Browse icon to open the Resource Key dialog as shown below.
  4. Click workspace, to add the security policy from the current workspace. You can select the path to the sample_policy.xml file that you created in the previous steps.
  5. Save the proxy service file.

Step 5: Deploying the proxy service in the ESB server

Once you have added the security policy to your proxy service as explained in the previous topics, you need to create a Composite Application project with a CAR file. You can then deploy the CAR file in the ESB server:

  1. Right-click the Project Explorer and click New > Project.
  2. From the window that opens, click Composite Application Project.

  3. Give a name to the Composite Application project and select the projects that you need to group into your C-App from the list of available projects. You need to select the ESB project and the registry resource project, which contains the proxy service and security policy file respectively.

  4. Next, deploy the CAR file in the ESB server.

Step 6: Testing the secured proxy service

You can test the sign and encrypt security policy that is applied to the proxy service by following the steps given below. Let's start the back-end service (which is the SimpleStockQuoteService) and send messages using the SOAP UI. You can first send a message that is not encrypted to verify if the secured proxy service accepts the message. Then, apply encryption/decryption to the SOAP UI client and send messages to see how message encryption and decryption is facilitated by the secured proxy service.

 1. Starting the back-end service

The SimpleStockQuoteService (back-end service) contains four operations:

  • getQuote (in-out) - Generates a sample stock quote for a given symbol.
  • getFullQuote (in-out) - Generates a history of stock quotes for a symbol for a number of days.
  • getMarketActivity (in-out) - Returns stock quotes for a list of given symbols.
  • placeOrder (in-only) - Accepts a one way message for an order.

To build and deploy a back-end service in the Axis2 server:

  1. Open a command prompt (or a shell in Linux). 
  2. Go to the <EI_HOME>/samples/axis2Server/src/SimpleStockQuoteService directory. 

  3. Execute the 'ant' command.

To start the Axis2 server:

  1. Open a command prompt (or a shell in Linux) and go to the <EI_HOME>/samples/axis2Server directory.
  2. Execute one of the following commands to start the axis2 server:
    • On Windows: axis2server.bat
    • On Linux/Solaris: ./axis2server.sh

This starts the Axis2 server (with the deployed back-end service). The HTTP and HTTPS transports listen on ports 9000 and 9002 respectively.

 2. Creating a SOAP UI project
  1. Download SOAP UI.
  2. Before starting the SOAP UI, apply the following changes.
    1. Download the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files for JDK 8 and extract the downloaded ZIP file.
    2. Copy the local_policy.jar file and US_export_policy.jar file inside the extracted folder to the <JDK_HOME>/jre/lib/security folder.
    3. Download the xmlsec-1.5.2.jar file, and copy it to the <SOAP_HOME>/lib/ folder. Also, remove the existing xmlsec-1.4.5.jar file.
  3. Start the SOAP UI.

  4. Go to File > New SOAP Project to start creating a new SOAP project. 

    Enter the following values: 

    Project NameGive a name for the SOAP project. For example, 'SampleProject'.
    Initial WSDLThe WSDL of the proxy service is http://localhost:8280/services/StockQuoteProxy?wsdl.
 3. Sending a message (without encryption)

Let's send a message to the proxy service without encrypting the message. 

  1. Go to the SOAP request for the project.

  2. Click WS-Addressing relates setting as shown below.

  3. Enter the following value:

    Actionurn:getQuote

  4. Enter the following request and execute.

    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://services.samples" xmlns:xsd="http://services.samples/xsd">
   <soapenv:Header/>
   <soapenv:Body>
      <ser:getQuote>
         <!--Optional:-->
         <ser:request>
            <!--Optional:-->
            <xsd:symbol>IBM</xsd:symbol>
         </ser:request>
      </ser:getQuote>
   </soapenv:Body>
</soapenv:Envelope>

  5. You will see the following in the output, which indicates that the message should be encrypted.

    <soapenv:Body wsu:Id="Id-1384918051" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
      <soapenv:Fault xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
         <faultcode>wsse:InvalidSecurity</faultcode>
         <faultstring>Missing wsse:Security header in request</faultstring>
         <detail/>
      </soapenv:Fault>
   </soapenv:Body>
 4. Configuring the SOAP UI for message encryption/decryption

Now, let's configure the SOAP UI so that the outgoing messages will be encrypted, and incoming messages will be decrypted. We will use the default wso2carbon.jks keystore file for the encryption and decryption of messages.

Adding keystore configurations

  1. Right-click the project and click Show Project View.

  2. Go to WS-Security Configurations > Keystore tab and create a new record. 

    Then, enter the following details.

    SourceEnter the path to the keystore that the SOAP UI will use for encypting and decrypting messages. Let's use the default keystore (wso2carbon.jks) that is shiped with your WSO2 product. The source path is as follows: <EI_HOME>/repository/resources/security/wso2carbon.jks.
    PasswordEnter 'wso2carbon'. This is the default password of the wso2carbon.jks keystore file.
    Default AliasEnter 'wso2carbon'. This is the default password of the wso2carbon.jks keystore file.
    Alias PasswordEnter 'wso2carbon'. This is the default password of the wso2carbon.jks keystore file.

  3. Save the configurations.

Configuring outgoing message encryption

Now, let's configure the properties for outgoing messages.

  1. Go to WS-Security Configurations > Outgoing WS-Security Configurations tab.

  2. Create a new record and enter a name for the outgoung configuration. For example, enter 'outgoing_configs'

  3. Then, enter the following details:

    Default UsernameEnter 'wso2carbon'. This is the default password of the wso2carbon.jks keystore file.
    Default PasswordEnter 'wso2carbon'. This is the default password of the wso2carbon.jks keystore file.
    Must UnderstandSelect this check box.
  4. Next, we will add WSS entries for the outgoing configuration. Create a new record in the bottom panel of the Outgoing WS-Security Configurations tab. You can select the type of entry from the dialog box that opens.

    Create three WSS entries as explained below.

    1. Create an entry of type Timestamp, and specify the following parameter:

      Time to Live3000

    2. Create an entry of type Signature, and specify the following:

      KeystoreSelect 'wso2carbon.jks' from the list.
      AliasSelect 'wso2carbon' from the list. This is the default password of the wso2carbon.jks keystore file.
      PasswordEnter 'wso2carbon'. This is the default password of the wso2carbon.jks keystore file.
      Key Identifier TypeSelect 'X509 Certificate' from the list.
      Use Single CertificateSelect this check box.
      PartsCreate a new record and enter the following:

    3. Create an entry of type Encryption, and specify the following:

      KeystoreSelect 'wso2carbon.jks' from the list.
      AliasSelect 'wso2carbon' from the list. This is the default password of the wso2carbon.jks keystore file.
      PasswordEnter 'wso2carbon'. This is the default password of the wso2carbon.jks keystore file.
      Key Identifier TypeSelect 'X509 Certificate' from the list.
      Create Encrypted KeySelect this check box.
      PartsCreate a new record and enter the following:

  5. Save the configurations.

Configure incoming message decryption

Now, let's configure the properties for incoming messages.

  1. Go to the WS-Security Configurations > Outgoing WS-Security Configurations tab.

  2. Create new record and enter a name for the incoming configuration. For example, enter 'incoming_configs'.

  3. Then, enter the following details:

    Decrypt KeystoreEnter 'wso2carbon.jks'.
    Signature KeystoreEnter 'wso2carbon.jks'.
    PasswordEnter 'wso2carbon'. This is the default password of the wso2carbon.jks keystore file.
  4. Save the configurations.
 5. Testing message encryption

Let's send an encrypted message to the back-end service.

  1. Go to the SOAP request for the project:

  2. Click Auth (at the bottom of the screen) and select Add New Authorization.

    Enter the following details:

    AuthorizationBasic
    Pre-emptive authSelect Use global preference.
    Outgoing WSSSelect the outgoing configuration you created earlier: 'outgoing_configs'
    Incoming WSSleave this blank.
  3. Click WS-Addressing related setting as shown below.

  4. Enter the following value:

    Actionurn:getQuote

  5. Enter the following request and execute.

    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://services.samples" xmlns:xsd="http://services.samples/xsd">
   <soapenv:Header/>
   <soapenv:Body>
      <ser:getQuote>
         <!--Optional:-->
         <ser:request>
            <!--Optional:-->
            <xsd:symbol>IBM</xsd:symbol>
         </ser:request>
      </ser:getQuote>
   </soapenv:Body>
</soapenv:Envelope>

  6. You will see the output shown below. The response sent from the ESB is encrypted.

    <soapenv:Body wsu:Id="Id-1192123912" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
      <xenc:EncryptedData Id="EncDataId-12" Type="http://www.w3.org/2001/04/xmlenc#Content">
         <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
         <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
               <wsse:Reference URI="#EncKeyId-0682F65EEB9824BB96152649580727415"/>
            </wsse:SecurityTokenReference>
         </ds:KeyInfo>
         <xenc:CipherData>
            <xenc:CipherValue>9f7NHvCZDcppy6h8msnZGf47S1MpRE7YdsYgfuX7JCChlQLO00PtoD6qoxM68Pdp1UcCRWoUEqij
pzwmNOEiiYfp4n6dD6vrrALMP4NPy23PQZCAsG6wrENDQG0Tr2eBq2M5J35rL+uAHio3uLTd3bCo
Cy40P/mCCbQSdWVLtTPIkMneNr8DEaRbDygJ8UsZZWD3WGqDpL5ENVbuPzAW38bxX5dkCZMARdVK
R05WdPc6VexKAmdZh/r5/ZUds2zmj6KTfb6vCt5dRp7kx+CTK6oGdFwCC51f+t4BiT7BBnELw/Vv
W15nFAkg7FQrQAlhbuwAhxeumIyhKRwmVYzuwCy0jJBijQY9vCrAL4/1tjZVch37ErKxQTnCr7Zw
3Q9+E78DcwRZMl9GEq9fHNgUNZj3iZFQI3Mmewx2fi3qfIIMzMlgS7XS+nHpACHYiI06wa4veRkB
2qfzXFNYfMP4UZrfqqys/3XY2/z5QUDQS+DrmGsnbsRgmrjVs8mnKMmV0XqcKulCVS3ICr/2rYJ4
FfiaKJ0Z2TlsB2Q8kz0Y5aiFYxiE6Opqhi1o4CsUUzsdF6gIDJaOuMi1oXa8J2TPo1POwzd7gFyJ
yp6zFSWjihnr5Tnmor6w4ylsPft9ktWSBgxCY4HrWXa8XKRSNP0UHRaGqRWwVv+LseU0wJN0Ets1
4KbNL0YWEfuJkXRAdhzy9lY2SPDFPgevjN7AhTfpd8WrVC3et+/UiJhAk7ivc06tp2Pr+S2JIb/E
meajPPuLDmPHAeH8PiDRuu6693sj90mVrUn9xjaumPH8Hcvs0t8Zzj2mA62BYiu/E4pXC7kFwuW3
IsgaNqh3orRHqzo24kaA+xj/WmzV92oSfBsq3ZfIi4fTvgRmSzgWwqS2aMNkMetuTPLBRSaelmR2
yCXz2TARiNuNm9/F44C8P51AbGGZoTHT+MR0gwG1UnMErh2AZmA6vBrYgyHuqUeqnOf2jWyZgOUT
TuB3rbX+acMdu62iJL1/H2xOaGaqFe73RtVIDz+gsrntlg7bAbcr11g538tJHVLXBaR9vjeef/s+
9MI3RERPxk/N0ZVB12PcRkOEiTw/A2jzq2FQNyPofKiKLsmCxt0mTvL6tOExQz4bsJHpARrN/xZQ
WkNr0UhCHbZEheM1bAwtktvMr0hLqWGdDpa+Qc4ArvYgXHh0EP8LdXU=</xenc:CipherValue>
         </xenc:CipherData>
      </xenc:EncryptedData>
   </soapenv:Body>
 6. Testing message decryption

Let's add the incoming message decryption configurations so that the encrypted response is decrypted.

  1. Go to the same SOAP request for the project that you invoked previously.

  2. Add the following to the Auth parameters.

    Incoming WSSSelect the incoming configuration you created earlier: 'incoming_configs'

  3. Execute the same request.

  4. You will see the output shown below. The response is decrypted.

    <soapenv:Body wsu:Id="Id-1431772327" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
      <ns:getQuoteResponse xmlns:ns="http://services.samples">
         <ns:return xsi:type="ax21:GetQuoteResponse" xmlns:ax21="http://services.samples/xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <ax21:change>-2.7365742496115466</ax21:change>
            <ax21:earnings>-8.213251300512011</ax21:earnings>
            <ax21:high>88.48726651174232</ax21:high>
            <ax21:last>85.1003087966358</ax21:last>
            <ax21:lastTradeTimestamp>Wed May 16 22:05:12 IST 2018</ax21:lastTradeTimestamp>
            <ax21:low>87.51212833009488</ax21:low>
            <ax21:marketCap>3.815294330622157E7</ax21:marketCap>
            <ax21:name>IBM Company</ax21:name>
            <ax21:open>87.32469564153132</ax21:open>
            <ax21:peRatio>-19.818382705434033</ax21:peRatio>
            <ax21:percentageChange>-2.9535759300931126</ax21:percentageChange>
            <ax21:prevClose>92.6529168161685</ax21:prevClose>
            <ax21:symbol>IBM</ax21:symbol>
            <ax21:volume>19361</ax21:volume>
         </ns:return>
      </ns:getQuoteResponse>
   </soapenv:Body>