fb
WSO2 Enterprise Integrator 4 min

Securing proxies in WSO2 ESB 4.9.0

Rob Blaauboer
Rob Blaauboer
Integration Consultant & WSO2 Trainer
WSO2TORIAL 7
Scroll

WSO2torial_rgb600.pngSecurity is an essential element of your IT (infrastructure). Without it, anyone can access services and systems. It is, however, a very wide topic that addresses many aspects. From the encryption of passwords to the firewall deployed at the perimeter of you network.

In this blogpost we will cover securing proxies in the WSO2 Enterprise Service Bus and part of the WSO2 security guidelines. The latest version of the WSO2 ESB has introduced a new way to secure proxies. Rather than doing it via the UI of the ESB it is now recommended to do it via Developer Studio / Eclipse.

WSO2_ESB_Service_Dashboard_echo.png

That is, in a sense, unfortunate since it is more work but makes sense from the perspective of WSO2 security itself.

So what are the basic steps?

  1. Create a security policy and either store it in the governance repository (of even Governance Registry)
  2. Apply the policy to a proxy.

As you can see, this is not rocket science. Let’s go step for step through it. We will create a proxy (simple passthrough) and secure it. With SoapUI we will access the service and see that it works.

Let’s get started

So the first step is to create a proxy service that we want to secure. The simplest way (and one that everyone can easily recreate) is to take the echo service and create a simple pass through proxy.

I am not going to recreate all steps with screen shots but will simply indicate the steps needed and use screenshots to actually clarify things.

new_proxy_service.pngNew_carbon_4.4_based_server_runtime.pngAdd_and_remove.png 

Of course, the first step is to start Eclipse and create a new ESB Project. I will call it: Proxy2Secure. Within that project a Pass Through proxy is created (see below) that uses the echo service endpoint (http://localhost:8280/services/echo). The pass through proxy does exactly what it’s name implies, it simply passes the soap message to the endpoint and sends the answer back. I am going to use EchoString (‘Hello Proxy’) as a message in SoapUI.

The next step is to create the C-App file and subsequently a CAR file that can be deployed on the server. The server will be a regular WSO2 Carbon 4.4 based server on which the CAR will run.

After successful deployment, we will test the Proxy with SoapUI.

Request1_securing_proxies_in_WSO2_blog.png

As you can see, the proxy works.

Now we are going to secure it!

Security means policies

What needs to be created is a registry resource that will describe the policy for this proxy. We do this from Developer Studio Dashboard (under the Governance Registry entry).

Governance_registry.png

We call the policy ProxyPolicy choose the WS-Policy template. Zooming in on the policy just created the first option is chosen. We apply the internal/everyone role for this policy.

 Registry_resource.png 

WS-Policy_for_service.png

User_roles.png

We now have a policy and a proxy (unsecured) and will now add the policy to the security.

Proxy_service.png

In the properties of the proxy we put security enabled on true, and select the policy from the workspace (the one just created) and set it.

If there is no policy, click create new and a default will be filled in. This should be changed to the setting below.

Workspace_Element_Providers_securing_proxies_blog.png

The proxy is now secured as you can see from the <policy key=”gov:ws-policy/ProxyPolicy.xml”/> in source view.

Add RegRes to the CAR (so the policy will be deployed on the server) and do not forget to set the role of the RegRes to ESB rather than governance registry.

Dependencies_securing_proxies_blog.png

Testing it with SoapUI

Now it is time to test it with SoapUI. We need to change a number of things in this case:

  1. Transport is now https (rather than http)
  2. Port needs to change (8243 rather than 8280 for the same reason as above)
  3. Security needs to be added (WSSE header)

The third issues is done by adding basic authentication (as we selected in the policy) and giving the admin / admin credentials.

basic_authentication_securing_proxies_blog.png

If we call the correct port with https (https://localhost:8243/services/SimpleEcho) to the Simple Echo proxy we get a secured response.  (NOTE: in the screenshots is does not show localhost but another reference, this does not make a difference.

This is a simple overview on how to secure a proxy. Can’t this be done from the ESB User Interface? Yes, but you would have to copy the XML for the policy directly into the governance repository.

 

 

Request1_securing_proxies_blog.png

Read also our other WSO2 tutorials and blogs about WSO2 Enterprise Server written by our WSO2 GurusIn case you need WSO2 support, contact the Yenlo WSO2 Guru team to get WSO2 Development Support or WSO2 Operational Support. Of course we do deliver excellent WSO2 training services as well, based on reallife WSO2 tutorials.

WSO2TORIALS help you to change, update or improve WSO2 products and are based on our experiences with the products. WSO2TORIALS will guide you step by step with minimal knowledge required.   WSO2TORIAL.jpeg