WSO2 ESB使用证书的WCF安全方法

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了WSO2 ESB使用证书的WCF安全方法相关的知识,希望对你有一定的参考价值。

我是WSO2 ESB的新手。我已经使用wsHttpBinding构建了一个wcf服务,并使用自我证书进行保护。我找不到将该服务与ESB集成的方法。有什么建议吗?

我使用makecert命令创建了自签名证书,但我无法配置使用创建的证书。我怎样才能做到这一点?我迷路了。我的wsHttpBinding看起来像这样:

<wsHttpBinding>
    <binding name="BasicHttpAuthentication_Config">          
      <security mode="Message">
        <message clientCredentialType="UserName" algorithmSuite="Basic256" establishSecurityContext="false"/>
      </security>
    </binding>
  </wsHttpBinding>

并且rampart配置如下所示:

<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
            <ramp:user>acc1</ramp:user>
            <ramp:userCertAlias>acc1</ramp:userCertAlias>
            <ramp:encryptionUser>acc1</ramp:encryptionUser>
            <ramp:passwordCallbackClass>org.wso2.samples.pwcb.PWCBHandler</ramp:passwordCallbackClass>
            <ramp:TimeToLive>360</ramp:TimeToLive>
            <ramp:signatureCrypto>
                <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
                    <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">pkcs12</ramp:property>
                    <ramp:property name="org.apache.ws.security.crypto.merlin.file">C:ESB_HOME
epository
esourcessecuritycert1.pfx</ramp:property>
                    <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">123</ramp:property>
                </ramp:crypto>
            </ramp:signatureCrypto>
            <ramp:encryptionCypto>
                <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
                    <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">pkcs12</ramp:property>
                    <ramp:property name="org.apache.ws.security.crypto.merlin.file">C:ESB_HOME
epository
esourcessecuritycert1.pfx</ramp:property>
                    <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">123</ramp:property>
                </ramp:crypto>
            </ramp:encryptionCypto>
        </ramp:RampartConfig>

创建代理服务后,我收到以下错误:

 org.apache.synapse.SynapseException: Unexpected error during sending message out at org.apache.synapse.core.axis2.Axis2Sender.handleException(Axis2Sender.java:257) at org.apache.synapse.core.axis2.Axis2Sender.sendOn(Axis2Sender.java:84) at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.send(Axis2SynapseEnvironment.java:548) at org.apache.synapse.endpoints.AbstractEndpoint.send(AbstractEndpoint.java:382) at org.apache.synapse.endpoints.AddressEndpoint.send(AddressEndpoint.java:65) at org.apache.synapse.core.axis2.ProxyServiceMessageReceiver.receive(ProxyServiceMessageReceiver.java:231) at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180) at org.apache.synapse.transport.passthru.ServerWorker.processEntityEnclosingRequest(ServerWorker.java:403) at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:151) at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) Caused by: org.apache.axis2.AxisFault: Signature token missing at org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:76) at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340) at org.apache.axis2.engine.Phase.invoke(Phase.java:313) at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:261) at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:426) at org.apache.synapse.core.axis2.DynamicAxisOperation$DynamicOperationClient.send(DynamicAxisOperation.java:185) at org.apache.synapse.core.axis2.DynamicAxisOperation$DynamicOperationClient.executeImpl(DynamicAxisOperation.java:167) at org.apache.axis2.client.OperationClient.execute(OperationClient.java:149) at org.apache.synapse.core.axis2.Axis2FlexibleMEPClient.send(Axis2FlexibleMEPClient.java:581) at org.apache.synapse.core.axis2.Axis2Sender.sendOn(Axis2Sender.java:78) ... 11 more Caused by: org.apache.rampart.RampartException: Signature token missing at org.apache.rampart.builder.SymmetricBindingBuilder.doSignBeforeEncrypt(SymmetricBindingBuilder.java:434) at org.apache.rampart.builder.SymmetricBindingBuilder.build(SymmetricBindingBuilder.java:86) at org.apache.rampart.MessageBuilder.build(MessageBuilder.java:144) at org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:65) ... 20 more

我该怎么做才能让它发挥作用?整个策略文件如下:

<wsp:Policy wsu:Id="WSHttpBinding_IBasicHttpService_policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl">
<wsp:ExactlyOne>
    <wsp:All>
        <sp:SymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
            <wsp:Policy>
                <sp:ProtectionToken>
                    <wsp:Policy>
                        <mssp:SslContextToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient" xmlns:mssp="http://schemas.microsoft.com/ws/2005/07/securitypolicy">
                            <wsp:Policy>
                                <sp:RequireDerivedKeys/>
                            </wsp:Policy>
                        </mssp:SslContextToken>
                    </wsp:Policy>
                </sp:ProtectionToken>
                <sp:AlgorithmSuite>
                    <wsp:Policy>
                        <sp:Basic256/>
                    </wsp:Policy>
                </sp:AlgorithmSuite>
                <sp:Layout>
                    <wsp:Policy>
                        <sp:Strict/>
                    </wsp:Policy>
                </sp:Layout>
                <sp:IncludeTimestamp/>
                <sp:EncryptSignature/>
                <sp:OnlySignEntireHeadersAndBody/>
            </wsp:Policy>
        </sp:SymmetricBinding>
        <sp:SignedSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
            <wsp:Policy>
                <sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
                    <wsp:Policy>
                        <sp:WssUsernameToken10/>
                    </wsp:Policy>
                </sp:UsernameToken>
            </wsp:Policy>
        </sp:SignedSupportingTokens>
        <sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
            <wsp:Policy/>
        </sp:Wss11>
        <sp:Trust10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
            <wsp:Policy>
                <sp:MustSupportIssuedTokens/>
                <sp:RequireClientEntropy/>
                <sp:RequireServerEntropy/>
            </wsp:Policy>
        </sp:Trust10>
        <sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
            <sp:Body />
            <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing" />
            <sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing" />
            <sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing" />
            <sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing" />
            <sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing" />
            <sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing" />
            <sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing" />
        </sp:SignedParts>
        <sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
            <sp:Body />
        </sp:EncryptedParts>
        <wsaw:UsingAddressing/>
        <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
            <ramp:user>acc1</ramp:user>
            <ramp:userCertAlias>BasicHttpAuthentication</ramp:userCertAlias>
            <ramp:encryptionUser>acc1</ramp:encryptionUser>
            <ramp:passwordCallbackClass>org.wso2.samples.pwcb.PWCBHandler</ramp:passwordCallbackClass>
            <ramp:TimeToLive>360</ramp:TimeToLive>
            <ramp:signatureCrypto>
                <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
                    <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">pkcs12</ramp:property>
                    <ramp:property name="org.apache.ws.security.crypto.merlin.file">C:ESB_HOME
epository
esourcessecuritycert1.pfx</ramp:property>
                    <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">123456</ramp:property>
                </ramp:crypto>
            </ramp:signatureCrypto>
            <ramp:encryptionCypto>
                <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
                    <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">pkcs12</ramp:property>
                    <ramp:property name="org.apache.ws.security.crypto.merlin.file">C:ESB_HOME
epository
esourcessecuritycert1.pfx</ramp:property>
                    <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">123456</ramp:property>
                </ramp:crypto>
            </ramp:encryptionCypto>
        </ramp:RampartConfig>           
    </wsp:All>

</wsp:ExactlyOne>

答案

我想通了,似乎问题是使用SSLContextToken时出现问题,因为axis2不理解,所以我改变了wsHttpBinding,如下所示:

<security mode="Message">
    <message clientCredentialType="None" 
         negotiateServiceCredential="false" 
         establishSecurityContext="false"/>
</security>

然后每件事情都很好。所以现在我必须找到一种新的身份验证方式,但至少邮件是通过我们的证书保护的。

以上是关于WSO2 ESB使用证书的WCF安全方法的主要内容,如果未能解决你的问题,请参考以下文章

WSO2 ESB / EI / AM 汉化方法

WSO2 ESB / EI / AM 汉化方法

WSO2 ESB / EI / AM 汉化方法

WSO2 ESB 5.0.0 集群配置

WSO2 ESB 5.0.0 集群配置

使用wso2 esb multipart / form数据