In this post, let's consider on configuring the WSO2 ESB to communicate using SSL. I assume You have followed
previous post which is linked to this post and able to configure RabbitMQ with the similar
rabbitmq.config file.
Please look closely at sample
rabbitmq.config file in the
previous post and you can see there following configuration.
{fail_if_no_peer_cert
,false} option, we state that we're prepared to accept clients which don't have a certificate to send us, but through the {verify
,verify_peer} option, we state that if the client does send us a certificate, we must be able to establish a chain of trust to it.
{verify, verify_none},
{fail_if_no_peer_cert,false},
If we have set "
fail_if_no_peer_cert" value to
false, then we can configure WSO2 ESB in minimal configurations.
When "fail_if_no_peer_cert" value set to false
If fail_if_no_peer_cert is set to false in the RabbitMQ broker configuration, then you only need to specify <parameter name="rabbitmq.connection.ssl.enabled" locked="false">true</parameter>
<!-- ================================================= -->
<!-- Transport Ins (Listeners) -->
<!-- ================================================= -->
<transportReceiver name="rabbitmq" class="org.apache.axis2.transport.rabbitmq.RabbitMQListener">
<parameter name="AMQPConnectionFactory" locked="false">
<parameter name="rabbitmq.server.host.name" locked="false">localhost</parameter>
<parameter name="rabbitmq.server.port" locked="false">5671</parameter>
<parameter name="rabbitmq.server.user.name" locked="false">user</parameter>
<parameter name="rabbitmq.server.password" locked="false">user123</parameter>
<parameter name="rabbitmq.connection.retry.interval" locked="false">10000</parameter>
<parameter name="rabbitmq.connection.retry.count" locked="false">5</parameter>
<parameter name="rabbitmq.connection.ssl.enabled" locked="false">true</parameter>
</parameter>
</transportReceiver>
When "fail_if_no_peer_cert" value set to true
Where fail_if_no_peer_cert is set to true, you need to provide keystore and truststore information.
<!-- ================================================= -->
<!-- Transport Ins (Listeners) -->
<!-- ================================================= -->
<transportReceiver name="rabbitmq" class="org.apache.axis2.transport.rabbitmq.RabbitMQListener">
<parameter name="AMQPConnectionFactory" locked="false">
<parameter name="rabbitmq.server.host.name" locked="false">localhost</parameter>
<parameter name="rabbitmq.server.port" locked="false">5671</parameter>
<parameter name="rabbitmq.server.user.name" locked="false">user</parameter>
<parameter name="rabbitmq.server.password" locked="false">user123</parameter>
<parameter name="rabbitmq.connection.retry.interval" locked="false">10000</parameter>
<parameter name="rabbitmq.connection.retry.count" locked="false">5</parameter>
<parameter name="rabbitmq.connection.ssl.enabled" locked="false">true</parameter>
<parameter name="rabbitmq.connection.ssl.version" locked="false">TLSv1.2</parameter>
<parameter name="rabbitmq.connection.ssl.keystore.location" locked="false">/home/krishan/wso2_workspace/support_issues_setups/ INGTURKEYDEV-16/client/keycert.p12</parameter>
<parameter name="rabbitmq.connection.ssl.keystore.type" locked="false">PKCS12</parameter>
<parameter name="rabbitmq.connection.ssl.keystore.password" locked="false">MySecretPassword</parameter>
<parameter name="rabbitmq.connection.ssl.truststore.location" locked="false">/home/krishan/wso2_workspace/support_issues_setups/INGTURKEYDEV-16/wso2esb-4.9.0/repository/resources/security/client-truststore.jks</parameter>
<parameter name="rabbitmq.connection.ssl.truststore.type" locked="false">JKS</parameter>
<parameter name="rabbitmq.connection.ssl.truststore.password" locked="false">wso2carbon</parameter>
</parameter>
</transportReceiver>
rabbitmq.connection.ssl.keystore.location - We need to provide client key store location. In earlier post we created a separate folder called client, inside that folder you can find keycert.p12 keystore.
rabbitmq.connection.ssl.keystore.password - We need to provide the password of the keystore.
rabbitmq.connection.ssl.truststore.location - We can use the default
truststore ships with the WSO2 ESB. But we need to import the
rabbitmq server certificate to the
truststore. So we need to import
.pem certificate to
.jks truststore.
First, convert your certificate in a DER format
:
openssl x509 -outform der -in certificate.pem -out certificate.der
And after, import it in the
keystore :
keytool -import -alias your-alias -keystore cacerts -file certificate.der
rabbitmq.connection.ssl.truststore.password - default password for the
truststore is
wso2carbon
We can define the SSL protocol version from the following parameter.
<parameter name="rabbitmq.connection.ssl.version"locked="false">SSL</parameter>
The parameters which you can specify are listed below.
But RabbitMQ Documentation mentioned that for TLS support we need to install Erlang 17.5 or later version.
Also, don't forget to add transport sender configuration to the axis2.xml.
<!-- ================================================= -->
<
!-- Transport Outs (Senders)
-->
<!-- ================================================= -->
<transportSender name="rabbitmq" class="org.apache.axis2.transport.rabbitmq.RabbitMQSender"/>
That's all in configuring Wso2 ESB 4.9.0, then you can follow
this post and deploy consumer proxy. It is same as normal consumer proxy which use the above connection factory.
Sample SSL enabled producer proxy service looks like below. You need to change the query parameters of the endpoint url in order to get this work.
<?xml version="1.0" encoding="UTF-8"?>
<proxy xmlns="http://ws.apache.org/ns/synapse"
name="SSLrabitMQProducer"
transports="https,http"
statistics="disable"
trace="disable"
startOnLoad="true">
<target>
<inSequence>
<property name="FORCE_SC_ACCEPTED"
value="true"
scope="axis2"
type="STRING"/>
<property name="OUT_ONLY" value="true" scope="default" type="STRING"/>
<send description="send message to AMQP queue">
<endpoint name="RABBIT">
<address uri="rabbitmq:/PublishRabbitMQ?rabbitmq.queue.exclusive=false&rabbitmq.queue.auto.delete=false&rabbitmq.queue.routing.key=destination&rabbitmq.server.host.name=localhost&rabbitmq.server.port=5671&rabbitmq.server.user.name=guest&rabbitmq.server.password=guest&rabbitmq.queue.name=queue1&rabbitmq.exchange.name=amq.direct&rabbitmq.connection.ssl.enabled=true&rabbitmq.connection.ssl.version=SSL&rabbitmq.connection.ssl.keystore.location=/home/krishan/rabbitcerts/client/keycert.p12&rabbitmq.connection.ssl.keystore.type=PKCS12&rabbitmq.connection.ssl.keystore.password=MySecretPassword&rabbitmq.connection.ssl.truststore.location=/home/krishan/wso2esb-4.9.0/repository/resources/security/client-truststore.jks&rabbitmq.connection.ssl.truststore.type=JKS&rabbitmq.connection.ssl.truststore.password=wso2carbon"/>
</endpoint>
</send>
</inSequence>
<outSequence/>
</target>
<description/>
</proxy>
Then restart the WSO2 ESB server with JVM parameters like the follow.
./wso2server.sh -Djavax.net.debug=ssl
Then you can See SSL logs like below.
rabbitmq-Worker-1, WRITE: TLSv1.2 Change Cipher Spec, length = 1
*** Finished
verify_data: { 118, 108, 34, 38, 213, 148, 67, 35, 86, 77, 78, 36 }
***
rabbitmq-Worker-1, WRITE: TLSv1.2 Handshake, length = 80
rabbitmq-Worker-1, READ: TLSv1.2 Change Cipher Spec, length = 1
rabbitmq-Worker-1, READ: TLSv1.2 Handshake, length = 80
*** Finished
verify_data: { 55, 201, 154, 129, 204, 176, 84, 154, 232, 100, 160, 92 }
***
%% Cached client session: [Session-1, TLS_RSA_WITH_AES_128_CBC_SHA256]
rabbitmq-Worker-1, WRITE: TLSv1.2 Application Data, length = 64
AMQP Connection 127.0.0.1:5671, READ: TLSv1.2 Application Data, length = 544
rabbitmq-Worker-1, WRITE: TLSv1.2 Application Data, length = 432
AMQP Connection 127.0.0.1:5671, READ: TLSv1.2 Application Data, length = 80
rabbitmq-Worker-1, setSoTimeout(15000) called