Doorgaan naar hoofdcontent

Cordys BOP4 and SSL be aware

Introduction

In one of my previous Blog item about Cordys BOP4, I described how Apache WebServer and Cordys BOP must be configured for using secure two-way-SSL.
I discovered some behavior of this set-up which i want to share in this blog.


Behavior

When you configure two-way-SSL in Apache Webserver, the client certificate is used by the Apache WebServer to check whether this client may access the WebServer.
However this certificate is also used by Cordys BOP4 for the identification of the User within BOP4.
For this you have to configure a User that has the client certificate attached to it.

* Goto User Manager > Users Roles
* Select a User, Right click Edit
* Select as Authentication Type: Certificate
* Click Use Certificate and import the public certificate of the client (X.501 compliant)


When you sent a soap message to the platform you must NOT use wsse:Security tags in the soap header anymore
  

      
         
            Roger
            Password
         
      
   

When you do this you will get the following error:

   
   
   
      
         ns0:Client
         Not a valid user.
         
            
               
                  Cordys.ESBServer.Messages.invalidUser
               
            
            com.eibus.security.identity.InvalidIdentityException: Failed to determine identity: Could not determine identity, found multiple identities in the SOAP message
    at com.eibus.security.identity.UserIdentityFactory.determineIdentity(UserIdentityFactory.java:80)
    at com.eibus.soap.Processor._determineIdentity(Processor.java:1608)
    at com.eibus.soap.SOAPTransaction.<init>(SOAPTransaction.java:312)
    at com.eibus.soap.SOAPTransaction.<init>(SOAPTransaction.java:175)
    at com.eibus.soap.Processor.onReceive(Processor.java:956)
    at com.eibus.soap.Processor.onReceive(Processor.java:929)
    at com.eibus.connector.nom.Connector.onReceive(Connector.java:417)
    at com.eibus.transport.Middleware$NonTransactionalWorkerThreadBody.run(Middleware.java:1722)
    at com.eibus.util.threadpool.WorkerThread.run(WorkerThread.java:64)
Caused by: com.eibus.security.identity.IdentityCreationException: Could not determine identity, found multiple identities in the SOAP message
    at com.eibus.security.identity.UserIdentityFactory.determineIdentity(UserIdentityFactory.java:66)
    ... 8 more
         
      
   


Conclusion

A client certificate with two-way-SSL is also used by Cordys for identifying the logical User within BOP4.
This means that if you want a client server to have several different users, with different roles, use Cordys, the server must also have different client certificates.

I would expect that the client certificate was only used for server authentication and that the WS-Security tags were used to authenticate the logical user.

Reacties

Populaire posts van deze blog

OSB 10gR3 and SWA and MTOM

This blog is about using soap with attachments and the use of MTOM within the OSB (10gR3). A service is created that accepts a soap with attachment (DocumentService) and translates it to a service that accepts a binary element. MTOM is used for performance reasons for the second. Some notes: * For the use of attachments you need RPC-style document instead of the usual document-style. This due to the fact that the document-style limits a message to a single . * A service can not have both SWA and MTOM within OSB. First a WSDL is setup for the DocumentService: The $attachments variable holds the attachments and the body holds the attachment data. Also other data is stored within the attachment element (see h...

Microservices mindmap

"The tree" - See also   my photo page When you are fairly new within the Microservices land, there are a lot of terms fired at you. So also for my own understanding i have made a mindmap. I think it has a good status now, so that i can share it with you. As always feedback is very welcome ! You can download the mindmap here .

Book review: Data Management at Scale (Piethein Strengholt)

 This blog is a review of the book "Data Management at Scale (See also at bol.com ) Data Management is a hot topic nowadays and this book does a fantastic job at adding value to this topic. It is a must read and one of the few technical books I finished reading in a weekend. The book gives a fantastic overview on how to implement a Data Mesh data architecture. The Data Mesh concept is explained by Martin Fowler here . The book is a good mix between conceptual and implementation architecture level. It gives a lot of examples of how this architecture at scale can work, for both small and big companies. It is practical and I used it to implement it at one of my customers. The book describes an architecture in which the focus is on the DIAL (Data- and Integration Access Layer).  On a high level the book covers the following topics: The key principles for data management at scale - Domain-Driven Design  - Domain Data Stores - Meta data management Ready Data Store The concept ...