我是WSO2 ESB的新手。我已经使用wsHttpBinding构建了一个wcf服务,并使用自我证书进行保护。我找不到将该服务与ESB集成的方法。有什么建议吗?
我使用makecert命令创建了自签名证书,但我无法配置使用创建的证书。我怎样才能做到这一点?我迷路了。我的wsHttpBinding看起来像这样:
<wsHttpBinding>
<binding name="BasicHttpAuthentication_Config">
<security mode="Message">
<message clientCredentialType="UserName" algorithmSuite="Basic256" establishSecurityContext="false"/>
</security>
</binding>
</wsHttpBinding>
并且rampart配置如下所示:
<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
<ramp:user>acc1</ramp:user>
<ramp:userCertAlias>acc1</ramp:userCertAlias>
<ramp:encryptionUser>acc1</ramp:encryptionUser>
<ramp:passwordCallbackClass>org.wso2.samples.pwcb.PWCBHandler</ramp:passwordCallbackClass>
<ramp:TimeToLive>360</ramp:TimeToLive>
<ramp:signatureCrypto>
<ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">pkcs12</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.file">C:\ESB_HOME\repository\resources\security\cert1.pfx</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">123</ramp:property>
</ramp:crypto>
</ramp:signatureCrypto>
<ramp:encryptionCypto>
<ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">pkcs12</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.file">C:\ESB_HOME\repository\resources\security\cert1.pfx</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">123</ramp:property>
</ramp:crypto>
</ramp:encryptionCypto>
</ramp:RampartConfig>
创建代理服务后,我收到以下错误:
org.apache.synapse.SynapseException: Unexpected error during sending message out at org.apache.synapse.core.axis2.Axis2Sender.handleException(Axis2Sender.java:257) at org.apache.synapse.core.axis2.Axis2Sender.sendOn(Axis2Sender.java:84) at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.send(Axis2SynapseEnvironment.java:548) at org.apache.synapse.endpoints.AbstractEndpoint.send(AbstractEndpoint.java:382) at org.apache.synapse.endpoints.AddressEndpoint.send(AddressEndpoint.java:65) at org.apache.synapse.core.axis2.ProxyServiceMessageReceiver.receive(ProxyServiceMessageReceiver.java:231) at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180) at org.apache.synapse.transport.passthru.ServerWorker.processEntityEnclosingRequest(ServerWorker.java:403) at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:151) at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) Caused by: org.apache.axis2.AxisFault: Signature token missing at org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:76) at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340) at org.apache.axis2.engine.Phase.invoke(Phase.java:313) at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:261) at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:426) at org.apache.synapse.core.axis2.DynamicAxisOperation$DynamicOperationClient.send(DynamicAxisOperation.java:185) at org.apache.synapse.core.axis2.DynamicAxisOperation$DynamicOperationClient.executeImpl(DynamicAxisOperation.java:167) at org.apache.axis2.client.OperationClient.execute(OperationClient.java:149) at org.apache.synapse.core.axis2.Axis2FlexibleMEPClient.send(Axis2FlexibleMEPClient.java:581) at org.apache.synapse.core.axis2.Axis2Sender.sendOn(Axis2Sender.java:78) ... 11 more Caused by: org.apache.rampart.RampartException: Signature token missing at org.apache.rampart.builder.SymmetricBindingBuilder.doSignBeforeEncrypt(SymmetricBindingBuilder.java:434) at org.apache.rampart.builder.SymmetricBindingBuilder.build(SymmetricBindingBuilder.java:86) at org.apache.rampart.MessageBuilder.build(MessageBuilder.java:144) at org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:65) ... 20 more
我该怎么做才能让它发挥作用?整个策略文件如下:
<wsp:Policy wsu:Id="WSHttpBinding_IBasicHttpService_policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl">
<wsp:ExactlyOne>
<wsp:All>
<sp:SymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:ProtectionToken>
<wsp:Policy>
<mssp:SslContextToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient" xmlns:mssp="http://schemas.microsoft.com/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:RequireDerivedKeys/>
</wsp:Policy>
</mssp:SslContextToken>
</wsp:Policy>
</sp:ProtectionToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:EncryptSignature/>
<sp:OnlySignEntireHeadersAndBody/>
</wsp:Policy>
</sp:SymmetricBinding>
<sp:SignedSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssUsernameToken10/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SignedSupportingTokens>
<sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy/>
</sp:Wss11>
<sp:Trust10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportIssuedTokens/>
<sp:RequireClientEntropy/>
<sp:RequireServerEntropy/>
</wsp:Policy>
</sp:Trust10>
<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body />
<sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing" />
</sp:SignedParts>
<sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body />
</sp:EncryptedParts>
<wsaw:UsingAddressing/>
<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
<ramp:user>acc1</ramp:user>
<ramp:userCertAlias>BasicHttpAuthentication</ramp:userCertAlias>
<ramp:encryptionUser>acc1</ramp:encryptionUser>
<ramp:passwordCallbackClass>org.wso2.samples.pwcb.PWCBHandler</ramp:passwordCallbackClass>
<ramp:TimeToLive>360</ramp:TimeToLive>
<ramp:signatureCrypto>
<ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">pkcs12</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.file">C:\ESB_HOME\repository\resources\security\cert1.pfx</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">123456</ramp:property>
</ramp:crypto>
</ramp:signatureCrypto>
<ramp:encryptionCypto>
<ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">pkcs12</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.file">C:\ESB_HOME\repository\resources\security\cert1.pfx</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">123456</ramp:property>
</ramp:crypto>
</ramp:encryptionCypto>
</ramp:RampartConfig>
</wsp:All>
</wsp:ExactlyOne>
我想通了,似乎问题是使用SSLContextToken时出现问题,因为axis2不理解,所以我改变了wsHttpBinding,如下所示:
<security mode="Message">
<message clientCredentialType="None"
negotiateServiceCredential="false"
establishSecurityContext="false"/>
</security>
然后每件事情都很好。所以现在我必须找到一种新的身份验证方式,但至少邮件是通过我们的证书保护的。