How to invoke a ESB Proxy secured with Policy 19 - Sign and Encrypt - X509 Authentication - SAML 2.0 with Soap UI

Before moving on to the Soap UI tutorial, I will give an insight to the ESB proxy services. There are various ways WSO2 ESB can be used to cater security requirements. Following are two common patterns used to secure a service using ESB proxy services.

1. Expose an in-secured backend service using a secured ESB proxy

Here, the proxy service receives secured requests from users. But, the backend service does not use WS-Security. Hence, we can instruct the ESB to remove the wsse:Security header from the outgoing message to the backend service. Again, when the proxy service receives a response from the backend service, it will add the security headers and pass the response back to the user.

Refer the following link for a sample demo.
https://docs.wso2.com/display/ESB481/Sample+200%3A+Using+WS-Security+with+policy+attachments+for+proxy+services

2. Expose a secured backend service as an in-secured service  

Here, the ESB proxy service receives requests without WS-Security from the users. But, the backend service is secured with WS-Security. Hence, we can instruct the proxy service to set the required security tokens to the outgoing message to the backend as per the policy. When the proxy service receives the response, it will remove the security headers and pass the response back to the user.

Refer the following link for a sample demo.

https://docs.wso2.com/display/ESB481/Sample+100%3A+Using+WS-Security+for+Outgoing+Messages

There are various security policies defined in ESB and you can define your own security policy as well. 

In this blog post, I will discuss how to expose an in-secured backend service using a secured ESB proxy which is using Policy 5 - Sign and Encrypt - X509 Authentication.

Here, I am using the following.

• WSO2 ESB 4.8.1
• Soap UI 4.6.4
• WSO2 AS 5.2.1 (optional)

Step 1: Deploy the backend service.

Here, I use the Hello Service which is a sample service deployed in WSO2 Application Server. You can use your own service. Hello Service will look as follows. You can try the service and view the WSDL of the service using WSO2 Application Server.

Step 2: Creating a secured Proxy Service in WSO2 ESB

1. Login to ESB
2. Go to Proxy Service under Services -> Add
3. Select Pass Through Proxy (You can go with Secure proxy as well)
4. Then add required details in Proxy Service Settings page correctly and click Create.

     5.  Now, the proxy service is created but it is not secured. To apply a security policy, click on Security under Quality of Service Configuration

      6.   Select YES from the drop down list and select Policy 19 and click on Next.

      7.   Tick the default trusted key store available and Finish.

Now, we have created a secured Proxy service.

Step 3: Creating a secured Soap UI Client

1. Create a new Soap UI project. Go to File -> New SOAP Project and give the WSDL of the proxy service. I give the project name as "Hello"
2. Right on the Project Name(Hello) -> click Show Project View -> go to WS-Security Configurations tab
3. First, we will add a key store. Go to Keystores tab and click on Add.
4. Select a keystore file. ($ESB_HOME/repository/resources/security/wso2carbon.jks)
5. Specify the password for the keystore file as - wso2carbon
6. Give the Default Alias and Alias Password both as - wso2carbon

     7.   Next, we will configure the Outgoing WS-Security Configurations. Go to Outgoing WS-Security Configurations tab and click on Add.

     8.   Give the name for the outgoing request. I give the name as "SAML2.0_Outgoing"

     9.   Give the default Username and Default Password as - wso2carbon.

    10.  Tick the Must Understand check box.

    11.   Next, we will add WSS entries. Click on the add button in the panel below Outgoing WS-Security Configurations tab.

    12.   Select the WSS entry Timestamp from the drop down list and give the Time to Live value (ex. 30000)

    13.  Likewise, click on the add button again and add a SAML (Form) from the drop down list. (SAML (XML) is used to add SAML assertions which are not possible to generate with SAML Form.)

    14.  Configure the below information in the SAML form

• SAML Version - 2.0
• Tick the Signed check box
• Assertion Type - Authentication
• Confirmation Method - Sender vouches
• Keystore - wso2carbon.jks
• Alias - wso2carbon
• Password - wso2carbon
• Issuer - Issuer
• Subject Name - Subject
• Subject Qualifier - Qualifier
• Digest Algorithm - SHA1
• Signature Algorithm - SHA1

    15.   Next, we will add another WSS Entry - Encryption similarly by clicking on the add button.

    16.   Configure the below information for Encryption.

• Keystore - wso2carbon.jks
• Alias - wso2carbon
• Password - wso2carbon
• Key Identifier Type - X509 Certificate
• Tick the Create Encrypted Key check box
• Parts - This specifies what we are going to encrypt. If this is not checked, the whole outgoing message will be encrpted. Here, we are going to encrypt only the body of the soap request. 
• ID - Body
• Name - Body
• Namespace - http://schemas.xmlsoap.org/soap/envelope/
• Encode - Content
• Keep the other fields unchanged 

Now, we are done with configuring signing and encryption in the outgoing soap message. Lets, configure Incoming WS-Security Configurations to decrypt the incoming soap response. 

    17.   Go to the Incoming WS-Security Configurations tab and click on Add button.

    18.   Give a unique name to the new Incoming WS-Security Configuration. I gave it "Incoming"

    19.   Select wso2carbon.jks for the Decrypt Keystore and Signature Keystore

    20.   Enter the Password as - wso2carbon

Right. Now we are done with all the configurations. Lets invoke the proxy service now.

Step 4: Invoking the secured Proxy Service

     1.   Go to the soap request and click on Auth button.

     2.   Select "SAML2.0_Outgoing" for Outgoing WSS and "Incoming" for Incoming WSS.

    3.   Run the request. You can see the decrypted response in the response pane.

If you go to ESB and AS management consoles, you can see statistics related to the requests as well.

NOTE:

When I first ran this request, I got the encrypted response instead of the decrypted response and I got an error as follows.

You can solve this by applying the JCE unlimited strength file to JVM. 

Steps:

1. Download the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 7 from the link below (Soap UI 4.6.4 uses Java 7)

http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html

2. Go to Soap_home/jre/lib/security and back up the local_policy.jar file (local_policy_back.jar)

3. Copy and extract the download zip file in step 1 in security folder

4. Copy the local_policy.jar file inside the extracted folder to the Soap_home/jre/lib/security folder.

5. Now run the request again. It should now display the decrypted response. :)