IntroductionIn one of my previous Blog item about Cordys BOP4, I described how Apache WebServer and Cordys BOP must be configured for using secure two-way-SSL.
I discovered some behavior of this set-up which i want to share in this blog.
BehaviorWhen you configure two-way-SSL in Apache Webserver, the client certificate is used by the Apache WebServer to check whether this client may access the WebServer.
However this certificate is also used by Cordys BOP4 for the identification of the User within BOP4.
For this you have to configure a User that has the client certificate attached to it.
* Goto User Manager > Users Roles
* Select a User, Right click Edit
* Select as Authentication Type: Certificate
* Click Use Certificate and import the public certificate of the client (X.501 compliant)
When you sent a soap message to the platform you must NOT use wsse:Security tags in the soap header anymore
When you do this you will get the following error:
ns0:Client Not a valid user. Cordys.ESBServer.Messages.invalidUser com.eibus.security.identity.InvalidIdentityException: Failed to determine identity: Could not determine identity, found multiple identities in the SOAP message at com.eibus.security.identity.UserIdentityFactory.determineIdentity(UserIdentityFactory.java:80) at com.eibus.soap.Processor._determineIdentity(Processor.java:1608) at com.eibus.soap.SOAPTransaction.<init>(SOAPTransaction.java:312) at com.eibus.soap.SOAPTransaction.<init>(SOAPTransaction.java:175) at com.eibus.soap.Processor.onReceive(Processor.java:956) at com.eibus.soap.Processor.onReceive(Processor.java:929) at com.eibus.connector.nom.Connector.onReceive(Connector.java:417) at com.eibus.transport.Middleware$NonTransactionalWorkerThreadBody.run(Middleware.java:1722) at com.eibus.util.threadpool.WorkerThread.run(WorkerThread.java:64) Caused by: com.eibus.security.identity.IdentityCreationException: Could not determine identity, found multiple identities in the SOAP message at com.eibus.security.identity.UserIdentityFactory.determineIdentity(UserIdentityFactory.java:66) ... 8 more
ConclusionA client certificate with two-way-SSL is also used by Cordys for identifying the logical User within BOP4.
This means that if you want a client server to have several different users, with different roles, use Cordys, the server must also have different client certificates.
I would expect that the client certificate was only used for server authentication and that the WS-Security tags were used to authenticate the logical user.