Skip to main content

Mutual SSL Authenticator with WSO2 Identity Server 5.0

Mutual Authenticator

 SSL authentication :- 1 way SSL authentication
Mutual SSL authenticaion :- 2 way SSL authentication

 Mutual SSL authentication refers two parties authentication each other.This is the certificate based authentication process and each party should provide their digital certificate for authentication.

 Steps in mutual authentication
  1. A client requests access to a protected resource.
  2. The server presents its certificate to the client.
  3. The client verifies the server’s certificate.
  4. If successful, the client sends its certificate to the server.
  5. The server verifies the client’s credentials.
  6. If successful, the server grants access to the protected resource requested by the client.

I'm giving you the steps to test mutual ssl authentication with wso2 IS and soapui

 Step 1 :-

 You have to download wso2 identity Server 5.0 from here and apply service pack as instructions given in readme file in service pack.
Step 2 :- 

 You have to uncomment below lines in [IS_HOME]/repository/conf/security/authenticators.xml

<!-- Authenticator Configurations for MutualSSLAuthenticator -->
<Authenticator name="MutualSSLAuthenticator" disabled="false">
   <Priority>5</Priority>
   <Config>
       <Parameter name="UsernameHeader">UserName</Parameter>
       <Parameter name="WhiteListEnabled">false</Parameter>
       <Parameter name="WhiteList"/>
   </Config> 
</Authenticator>


Step 3 :-

 Go to <IS_Home>/repository/conf/tomcat/catelina-server.xml and change the clientAuth property.

clientAuth = "true" 
           Expect two-way SSL authentication for each and every request.

          when you make clientAuth attribute to true, you cannot access server from web browser.you can see only the blank page. But two-way ssl authentication is working fine.

clientAuth = "want"
          Expect two-way SSL authentication optional.

          When you required to access IS from web browser, you have to make clientAuth attribute 'want'.

Step 4 :-

 a ) Please download latest service pack for IS here (This is built using latest source).

b ) Extract downloaded file and go to <WSO2-IS-5.0.0-SP01>/resources/dropins folder.
c ) Copy org.wso2.carbon.identity.authenticator.mutualssl_4.2.0.jar file in to dropins folder in [IS_HOME]/repository/components and restart the server.


Step 5 :-

  Extract WSO2 public certificate from <IS_Home>/repository/resources/security/wso2carbon.jks and add it to client’s trust store.Add client’s public certificate to the product trust store
You can find it here <IS_Home>/repository/resources/security/client-truststore.jks.
Step 6 :-

 If you use soapui as a client, you can add same certificate to soapui

i ) Click preferences button, then you will get a window as below. then you have to click SSL Setting tab and import wso2carbon.jks file to keyStore.

ii ) You have to provide a password and click ok button
password should be 'wso2carbon' for above certificate. if you generated a certificate using keytool, you have to provide a password which you used when you are generating the certificate.




Step 7 :- 

 Now you have completed the setup. you can choose a admin service and send a request with a username in the header. You will get a response without giving username and password.

Sample soap header

 

<soapenv:Header>
<m:UserName xmlns:m="http://mutualssl.carbon.wso2.org" soapenv:mustUnderstand="0">admin</m:UserName>
</soapenv:Header>












































Comments











Post a Comment



















Popular posts from this blog





















Reverse Proxy configuration with WSO2 Identity Server 5.0.0




























    Reverse proxy is a type of a proxy which can hide back end servers from the client applications.     According to the above figure, Original servers are not exposed to the internet. Only reverse proxy is exposed to the internet.Client knows only the reverse proxy IP address. So he thinks that he is sending a request to the reverse proxy.He doesn't know anything about the original server. You can avoid some attacks using this architecture.   Today I'm going to configure Apache HTTPD server(reverse proxy) and WSO2 identity server 5.0.   Please download WSO2 identity server 5.0 from here   You can install apache httpd server using below commands    sudo  apt - get  update      sudo  apt - get  install  apache2     Restart the newly install apache server    sudo  service  apache2  restart     Apache is a modular server. This implies that only the most basic functionality is included in the core server.So You have to enable few other required features. Please use below command  




















Post a Comment









Read more




























Essential Debug Logs for WSO2 Identity Server




























        Essential Debug loggers for WSO2 Identity Server   When you are working with WSO2 products, you have to enable debug logs to investigate issues. Its better to enable debug logs only for particular module that you need to investigate. It reduce debug writing time and unnecessary debug reading time.So you can easily understand the root cause when you are reading the console.I'm going to discuss about debug lines one by one.   You have to add debug line to  [WSO2_HOME]\repository\conf\log4j.properties  file, all debug lines are displayed in the console and write to the wso2carbon.log file.    To enable loggers for user core.This is helpful to investigate user related issues.   log4j.logger.org.wso2.carbon.user.core=DEBUG        To enable debug logs for identity module. This debug log will be helpful to investigate identity related issues.   log4j.logger.org.wso2.carbon.identity=DEBUG   If you need to investigate saml assertion or assertion related issue,  you can enable debug 




















Post a Comment









Read more




























CURL commands to get access token from WSO2 Identity Server




























  WSO2 Identity server supports all grant types those are defined in oAuth2 core specification   Four grant types:   Authorization Code Grant  Implicit Grant  Resource Owner Password Credentials Grant (password)  Client Credentials Grant   We cannot use curl command directly to get an access token for Authorization code grant type and Implicit grant type. I'm going through other two grant types one by one and provide the curl command to get access token.   3. Get access token using password grant type    curl -k -d "grant_type=password&username=admin&password=admin" -H "Authorization: Basic ME5fbXdWRXpTVnhfalJIbDV2cmc4RHIycHZBYTp0RmZjcHVFRFM5V1d2eFFEc1ZCd0tWVGd0dE1h, Content-Type: application/x-www-form-urlencoded" https://localhost:9443/oauth2/token      ME5fbXdWRXpTVnhfalJIbDV2cmc4RHIycHZBYTp0RmZjcHVFRFM5V1d2eFFEc1ZCd0tWVGd is the encoded value of 0N_mwVEzSVx_jRHl5vrg8Dr2pvAa:tFfcpuEDS9WWvxQDsVBwKVTgttMa (<client_id>:<client_secret>). these




















Post a Comment









Read more