(Special thanks goes to Sumedha Kodithuwakku @ wso2 support team)
In this post i will describe how to generate a custom certificate using keytool and use that certificate to secure a your web service and finally how to expose the secured web service using a proxy in wso2 ESB.
1. Generate a custom certificate.
Open a command prompt and use the keytool to generate a certificate. Here I use the CN as localhost since we use locally host web service(keep this in mind for later use). The rule of thumb is that CN should be matches to the hostname of the wsdl endpoint to resolve it by the ESB.
(Also using IP address as a CN would be a problematic so always stick to a host name rather than using an IP address.)
Use the following command to generate a certificate
keytool -genkey -alias localhost -keyalg RSA -keystore localhost.jks
*** When asked for the first and last name give the hostname which is localhost in our case.
Here you can use what ever name for -alias and - localhost.jks which is the alias of our certificate and name of the keystore if it newly create.
then export that certificate to a “.crt” file using command below.
keytool -export -alias localhost -file localhost.crt -keystore localhost.jks
2 Adding a keystore to web server (tomcat in our example)
Open the server.xml file in <tomcat-location>/conf/ folder and edit the <Connector port=”8443”tag as below.
<Connector port=”8443” protocol=”HTTP/1.1” SSLEnabled=”true”
maxThreads=”150” scheme=”https” secure=”true”
clientAuth=”false” sslProtocol=”TLS”
keystoreFile=”C:\keyStores\localhost.jks” keystorePass=”123456” />
Here we have added the keystore and the password we newly created.
3. Adding imported certificate to wso2 keystore and truststore.
Browse to <wso2-esb>\repository\resources\security folder. There is two keystore files namely “client-truststore.jks” and “wso2carbon.jks”. Use the below command to add the newly created and stored certificate (localhost.crt as our example in part 1 ) to these two keystore. Provide alias as the host name used as CN.
keytool -importcert -v -trustcacerts -file “localhost.crt” -alias localhost -keystore “wso2carbon.jks”
keytool -importcert -v -trustcacerts -file “localhost.crt” -alias localhost -keystore “client-truststore.jks
Since we are using localhost as our host we have update “HostnameVerifier" parameter in <wso2-esb>repository/conf/axis2.xml file to allow all hosts.
<parameter name=”HostnameVerifier”>AllowAll</parameter>
(This parameter can be found in <transportSender name=”https” tags.)
4. Create a proxy as normal and add the https://localhost:8443/<your-service>?wsdl file as normally do.
Resources :
[1] http://blog.facilelogin.com/2011/02/wso2-esb-invoking-web-service-via-https.html
[2] http://stackoverflow.com/questions/8443081/how-are-ssl-certificate-server-names-resolved-can-i-add-alternative-names-using/8444863#8444863
[3] http://stackoverflow.com/questions/19540289/how-to-fix-the-java-security-cert-certificateexception-no-subject-alternative?rq=1