This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.
Configuring X509 Authenticator with SSL Termination
- Former user (Deleted)
SSL bridging is the process of decrypting the encrypted SSL traffic that arrives from the browser and then re-encrypting it before sending it on to the server. SSL bridging can be used to ensure that the contents of the SSL-encrypted transmission are reliable and secure .
It enables NGINX to decrypt client requests from the browser. X509 authenticarion will not work in the normal SSL Termination since NGINX does not pass the X509 Certificate as a request attribute to the server after decrypting it. Due to this, the server will not be able to authenticate the client using its certificate, resulting in the failure of X509 authentication.
We need a separate valve to handle the request from NGINX and pass the X509 Certificate as a request attribute to the server. Here, we configure NGINX to pass the SSL Certificate as a request header.
Following are the steps to configure X509Authenticator with SSL Termination using NGINX and WSO2 Identity Server.
- Configure NGINX for SSL Termination
- Configure the proxy ports in IS
- Change the authentication SAML endpoint in the travelocity sample
- Configure X509 Authenticator to WSO2 Identity Server
Configure NGINX for SSL Termination
- Install the NGINX 1.15.8 community version.
- Create an SSL directory in
/usr/local/etc/nginx. Create a self-signed key and certificate for NGINX as shown below and put them into
/usr/local/etc/nginx/ssl.openssl req -newkey rsa:2048 -new -nodes -keyout key.pem -x509 -days 365 -out nginx.pem openssl x509 -text -noout -in nginx.pem
Add the following configurations to the
nginx.configfile in/usr/local/etc/nginx.Mention the path of the file in which you have created the self-signed key and the certificate as
ssl_client_certificate.http { upstream wso2.is.com{ server localhost:9443; ip_hash; } # HTTPS server server { listen 443 ssl; server_name localhost; #nginx certificate ssl_certificate /usr/local/etc/nginx/ssl/nginx.pem; #nginx key ssl_certificate_key /usr/local/etc/nginx/ssl/key.pem; #certificate of the client ssl_client_certificate /usr/local/etc/nginx/ssl/certificate.pem; ssl_session_timeout 50m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5; ssl_verify_client on; ssl_prefer_server_ciphers on; location / { #to enable the nginx to pass request header proxy_pass_request_headers on; proxy_set_header X-HTTPS-Protocol $ssl_protocol; proxy_set_header X-SSL-CERT $ssl_client_cert; proxy_pass https:/wso2.is.com; } } }
Configure the Proxy Port in IS nodes
By default, WSO2 Identity Server runs on the 9443 port. The following steps describe how you can configure a proxy port to 443.
Open the
catalina-server.xml file in<IS Home>/repository/conf/tomcat/and add the proxy port 443 in the https connector as follows.<Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port= "9443" proxyPort="443"
Configure the proxy port and host it in the
site.jsonfile in<IS-HOME>/repository/deployment/server/jaggeryapps/dashboard/conf/as follows.{ "proxy":{ "proxyHost":"nginx.mycomp.org" "proxyHTTPSPort":"443", "proxyContextPath":"", "servicePath":"/services" } }Configure the proxy port and host it in the
site.jsonfile in<IS-HOME>/repository/deployment/server/jaggeryapps/portal/conf/as follows.{ "proxy":{ "proxyHost":"nginx.mycomp.org" "proxyHTTPSPort":"443", "proxyContextPath":"", }, "fido":{ "appId":"" } }Configure the proxy port and host in the
web.xmlfile in<IS-HOME>/repository/deployment/server/webapps/shindig/WEB-INF/as follows.
<context-param> <param-name> system.properties </param-name> <param-value> <![CDATA[ shindig.host= shindig.port=443 akey=/shindig/gadgets/proxy?container=default&url= ]]>
Change the authentication endpoint in the Travelocity sample
Since the NGINX listens to port 443, we need to change the authentication endpoint of the client.
Go to
travelocity
properties in <Catalina_Home>/Webapps/travelocity.com/WEB-INF/classes and set SAML2.IdPURL to https://localhost:443/samlsso as shown below.
#The URL of the SAML 2.0 Identity Provider SAML2.IdPURL=https://localhost:443/samlsso
Configure X509 Authenticator in WSO2 Identity Server
Follow the steps mentioned here in order to configure X509 Authenticator.
Add the X509 Authentication Valve to WSO2 Identity Server
Get a git clone by executing the following command in the terminal.
git clone https://github.com/wso2-extensions/identity-x509-commons.git
If the current branch is not the master, checkout from the master as follows.
git branch checkout master
Build the component.
mvn clean install
Copy the
org.wso2.carbon.extension.identity.authenticator.x509Certificate.valve-1.0.4-SNAPSHOT.jarfile in/identity-x509-revocation/component/valve/targetinto<IS_HOME>/repository/components/dropins/. (Check whether the version of x509revocation component in the IS pack and change its version to 1.0.4-SNAPSHOT).Open
catalina.xmlin<IS_HOME>/repository/conf/tomcat/directoryand add the new valve in the configuration file.Valve name = <Valve className=”org.wso2.carbon.extension.identity.x509Certificate.valve.X509CertificateAuthenticationValve”/>
Configure in
identity.xmlfile in<IS_HOME>/repository/conf/identityby adding the value of the certificate configured in NGINX within<X509RequestHeaderName>.<!--X509 Certificate based authentication configuration--> <X509> <!--HTTP request header name which passes the X509Certificate from LB--> <X509RequestHeaderName>SSL-CERT</X509RequestHeaderName></X509>
Now run the travelocity sample and it will be authenticated using X509 Certificate when SSL termination is configured.