Hi,
I've deployed a CXF web service into the Talend ESB container and I can access this service over SSL without any problems.
One of our clients wishes to secure this web service by using 2way SSL.
Is there a way to define (on container level) a separate keystore / truststore per CXF web service?
I've been looking at chapter
https://help.talend.com/search/all?query=HTTP+Conduit+OSGi+Configuration+Parameters&content-lang=en, but I am not sure if this is SSL configuration used to access to service or for the service to access 3rd party web services over SSL?
What I would like is to deploy a number of CXF web services and assign each of them a private keystore / truststore so I can define per web service trusted web service consumers.
Thanks in advance,
Robin
Hi Robin,
CXF is an framework, therefore you have the common configuration for services.
just an idea - what about do the authentication based on the client certificate (using a common keystore / truststore) and than do the role based authorization based on the assigned roles?
1. use Jetty:
define jetty.xml in your org.ops4j.pax.web.cfg file
org.ops4j.pax.web.config.file=${karaf.base}/etc/jetty.xml
then add a new SSL listener (on a different port) for client authenticated SSL
http://67-23-9-112.static.slicehost.net/faq?s=400-Security&t=Client%20Certificates 2. we never exposed ESB outside directly, there was always a kind of proxy/load balancer/... doing SSL offloading
3. now came to my mind - you can check the client certificate on the CXF HTTP conduit, however I've never done it on the server side
Spring http conduit configuration <!-- optional settings to ensure client side security that the client connects to the right web service endpoint --> <sec:certConstraints> <sec:SubjectDNConstraints> <sec:RegularExpression>CN=\*\.myorg\.be,O=Vlaamse,L=Brussel,ST=Brabant,C=BE</sec:RegularExpression> </sec:SubjectDNConstraints> </sec:certConstraints>
