topic Secure CXF web service with 2way SSL in Talend Studio

Secure CXF web service with 2way SSL

Anonymous — Sat, 16 Nov 2024 11:46:51 GMT

Hi,
I've deployed a CXF web service into the Talend ESB container and I can access this service over SSL without any problems.
One of our clients wishes to secure this web service by using 2way SSL.
Is there a way to define (on container level) a separate keystore / truststore per CXF web service?
I've been looking at chapter https://help.talend.com/search/all?query=HTTP+Conduit+OSGi+Configuration+Parameters&content-lang=en, but I am not sure if this is SSL configuration used to access to service or for the service to access 3rd party web services over SSL?
What I would like is to deploy a number of CXF web services and assign each of them a private keystore / truststore so I can define per web service trusted web service consumers.
Thanks in advance,
Robin

Re: Secure CXF web service with 2way SSL

Anonymous — Wed, 15 Jan 2014 16:03:27 GMT

I misread the question please disregard this post

Re: Secure CXF web service with 2way SSL

Anonymous — Wed, 15 Jan 2014 16:09:46 GMT

Hi Robin,
CXF is an framework, therefore you have the common configuration for services.
just an idea - what about do the authentication based on the client certificate (using a common keystore / truststore) and than do the role based authorization based on the assigned roles?
1. use Jetty:
define jetty.xml in your org.ops4j.pax.web.cfg file
org.ops4j.pax.web.config.file=${karaf.base}/etc/jetty.xml
then add a new SSL listener (on a different port) for client authenticated SSL
http://67-23-9-112.static.slicehost.net/faq?s=400-Security&t=Client%20Certificates
2. we never exposed ESB outside directly, there was always a kind of proxy/load balancer/... doing SSL offloading
3. now came to my mind - you can check the client certificate on the CXF HTTP conduit, however I've never done it on the server side

Spring http conduit configuration
             <!-- 
            optional settings to ensure client side security
            that the client connects to the right web service endpoint
            -->
            <sec:certConstraints>
                <sec:SubjectDNConstraints>
                    <sec:RegularExpression>CN=\*\.myorg\.be,O=Vlaamse,L=Brussel,ST=Brabant,C=BE</sec:RegularExpression>
                </sec:SubjectDNConstraints>
            </sec:certConstraints>

Best regards
Gabriel

Re: Secure CXF web service with 2way SSL

Anonymous — Thu, 16 Jan 2014 09:00:58 GMT

Thanks Gabriel for your answer anyway, gave me some new ideas to solve this issue.