Friday, September 25, 2015

Dynamic SSL Profiles in WSO2 ESB 4.9.0

Dynamic SSL Profiles were introduced in WSO2 ESB 4.9.0 to avoid the application restart at each Custom SSL Profile update and provide facilities to load at run-time,
  • for every configured time interval (longer than 1 minute)
  • using JMX which will be applied immediately


It would be really beneficial for systems where security policies are changed frequently and whenever it requires to update new security certificates to establish the connections with back-end service or clients.


Following are the changes required to enable Dynamic SSL Profiles for both Transport Listeners and Senders.

Note: Dynamic SSL Profiles updating feature has been built on top of Custom SSL Profiles feature in WSO2 ESB. If you are not familiar with Custom SSL Profiles, you can get some idea from following documentation and blog posts before going into Dynamic Profiles.
  1. https://docs.wso2.com/display/ESB490/Multi-HTTPS+Transport
  2. http://pathberiya.blogspot.com/2010/07/ssl-profiles-in-wso2-esb.html
  3. http://nadeeshaan.blogspot.com/2014/03/enabling-custom-ssl-in-wso2-esb-4.html
Configurations


Set of new configurations should be added to the respective Multi SSL Transport Listener and/or Sender configurations used in axis2.xml ({ESB_HOME}/repository/conf/axis2/ axis2.xml) in ESB.
<parameter name="dynamicSSLProfilesConfig">
<filePath>repository/conf/sslprofiles/listeners/sslprofiles.xml</filePath>
<fileReadInterval>3600000</fileReadInterval>
</parameter>


There should be a separate configuration XML file created for each SSL Transport Listener/Sender configured for Dynamic Loading in ESB.


  • filePath - Provides the relative/absolute file path of the custom SSL Profile configuration XML file.
  • fileReadInterval - Defines the time interval (in milliseconds) which configuration updates will be loaded and applied at runtime. This value should be greater than 1 minute. Default value is set to 1 hour.

Content of Custom XML Files


The content of the custom SSL Profiles XML files configured in above mentioned file path, will be as follows. It is the same content as axis2.xml configurations for custom SSL profiles.

Listeners


<parameter name="SSLProfiles">
<profile>
<bindAddress>10.100.7.30</bindAddress>
<KeyStore>
<Location>repository/resources/security/esb.jks</Location>
<Type>JKS</Type>
<Password>123456</Password>
<KeyPassword>123456</KeyPassword>
    </KeyStore>
<TrustStore>
<Location>repository/resources /security/ client-truststore.jks </Location>
<Type>JKS</Type>
<Password>wso2carbon</Password>
</TrustStore>
<!--SSLVerifyClient>require</SSLVerifyClient-->
       </profile>
</parameter>


Note:
<SSLVerifyClient>require</SSLVerifyClient> This configuration should be enabled only when mutual SSL needs to be enabled with clients.

Senders



<parameter name="customSSLProfiles">
<profile>
<servers>10.100.7.30:8263</servers>
<KeyStore>
<Location>repository/resources/ security/esb.jks </Location>
<Type>JKS</Type>
<Password>123456</Password>
                <KeyPassword>123456</KeyPassword>
            </KeyStore>
<TrustStore>
<Location>repository/resources /security/esbtruststore.jks</Location>
<Type>JKS</Type>
<Password>123456</Password>
</TrustStore>
</profile>
</parameter>

Important : Once these customized SSL Profiles added and dynamic loading is configured in ESB, it will discard any custom SSL Profiles configured in axis2.xml.


Apply Configurations without restarting the ESB



Once the above custom configuration files are updated, there are two ways to apply new configurations to the ESB runtime.

Periodic Loading



ESB will load dynamic SSL profile configurations and updated keystore files at every configured time interval in “fileReadInterval” tag above. Value is set in milliseconds.

Apply using JMX



Using JConsole, new configurations and keystore files can be loaded and applied in ESB via JMX. Once JConsole is connected with ESB, it will list down available SSL Profile Invokers.


E.g.


In below example, “ListenerSSLProfileReloader” and “SenderSSLProfileReloader” are the MBeans provided for dynamic SSL configuration loading.


By executing “notifyFileUpdate” methods in respective Profile Reloaders will trigger the loading and applying of updated configuration from files.


Configuration file used in each invoker can be found as Attribute of the each MBean. It can be used to confirm that correct configuration loading will be triggered.


I will provide detailed use cases of configuring and testing these for both Sender and Listener in next few posts.

1 comment: