Thaya's Blogger

Tuesday, February 18, 2014

How to set correct JDK

How to set correct JDK when multiple versions available in Linux

Method1

Sometime setting the PATH variable like below doesn't resolve the issue in some machines.

export PATH=$PATH:$JAVA_HOME/bin

Then try append the Java path before loading the rest of the PATH variables like below.

export PATH=$JAVA_HOME/bin:$PATH

Method2

You can choose between already available alternative java by entering the below command in ubuntu

$sudo update-alternatives --config java

You will be getting an output similar to below for a user selection.

There are 2 choices for the alternative java (providing /usr/bin/java).

Selection Path Priority Status
------------------------------------------------------------
0 /usr/lib/jvm/java-7-oracle/jre/bin/java 1 auto mode
1 /usr/lib/jvm/java-7-oracle/jre/bin/java 1 manual mode
* 2 /usr/lib/jvm/jdk1.6.0_45/bin/java 1 manual mode

Press enter to keep the current choice[*], or type selection number:

If you want to include a particular version of JDK use below command

sudo update-alternatives --install <link> <name> <path> <priority>

e.g.
$sudo update-alternatives --install "/usr/bin/java" "java" "/usr/lib/jvm/jdk1.6.0_45/bin/java" 1

Thursday, January 23, 2014

How to expose AdminServices

To list Admin Services and to use in WSO2 Product stack

To enable Admin services please navigate to $WSO2CARBON_HOME/repository/conf/carbon.xml

1. Set the HideAdminServiceWSDLs tag to false

<HideAdminServiceWSDLs>false</HideAdminServiceWSDLs>

2. Restart the server with -DosgiConsole option

e.g wso2server.sh -DosgiConsole

3. From the OSGI console type the below and enter

listAdminServices

4. You will get all the exposed admin services for your product

5. This can be invoked using soapUI or any tool of your choice for verification

https://<hostname>:<post>/services/<ServiceName>?wsdl

e.g. https://localhost:9443/services/HumanTaskClientAPIAdmin?wsdl

Thursday, December 5, 2013

HDFS Configuration

Guide to setup WSO2 SS for HDFS

Here we assume user is using the embedded LDAP shipped with the product being used for the setup. If the external LDAP needs to be configured in production environment then there should be additional configuration required in Kerberos side. Also this guide written for Linux environment in mind (Ubuntu to be precise)

Kerberos Configuration

1. To install Kerberos in Ubuntu environment

sudo apt-get install krb5-kdc krb5-admin-server

2. To configure the realms, edit the krb5.conf file (/etc/krb5.conf)

Take a back-up of original file. Please add only the below details.

[libdefaults]
        default_realm = WSO2.ORG
        default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
        default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
        permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
        allow_weak_crypto = true
        renew_lifetime = 10m
        ticket_lifetime = 10m


[realms]
        WSO2.ORG = {
                kdc = 127.0.0.1:8000
                admin_server = 1.1.1.1:9999
        }

[domain_realm]
        .wso2.org = WSO2.ORG
        wso2.org = WSO2.ORG

[login]
        krb4_convert = true
        krb4_get_tickets = false

Note: renew_lifetime, ticket_lifetime parameters should be set according to the requirement as these are the life time defined for the Tickets (TGT) generated from the client side. If you are using external LDAP then realms parameter should match with the external LDAP server settings.

The letter used on those parameters denotes as below. More information is available from the internet.

d - days
h - hours
m- minutes
s - seconds

3. Create keytab with service principles

To create a keytab with the below service principals we will be using the ktutil utility

admin/node0 - password: admin
host/node0 - password : node0

To cache a principle key from the ktutil prompt

ktutil: addent -password -p <your principle> -k 1 -e <encryption algo>

Write keytab for the service principle

ktutil : write_kt <keytab file name>

e.g.

user@hostname:~$ ktutil
ktutil:  addent -password -p admin/node0@WSO2.ORG -k 1 -e des-cbc-md5
Password for admin/node0@WSO2.ORG:<admin>

ktutil:  addent -password -p host/node0@WSO2.ORG -k 1 -e des-cbc-md5
Password for host/node0@WSO2.ORG:<node0>

ktutil:  wkt hdfs2.keytab

ktutil: quit

From the same disk location keytab file created with the name hdfs2.keytab.

Take a backup or rename the carbon.keytab file originally packed with the product.

$WSO2SS_HOME/repository/conf/etc/hadoop/keytabs

Please copy or move hdfs2.keytab file to the above location and rename as carbon.keytab

4. Setup WSO2 SS with directory service (Embedded LDAP) and KDC

Please note the below configurations already been added and enabled for the product. The user probably may not require to configure in the case of embedded LDAP.

A. To configure carbon.xml

$WSO2SS_HOME/repository/conf/carbon.xml

<EmbeddedLDAP>
 <!-- Port which embedded LDAP server runs -->
 <LDAPServerPort>10389</LDAPServerPort>
 <!-- Port which KDC (Kerberos Key Distribution Center) server runs -->
 <!--KDCServerPort>8000</KDCServerPort-->
 <KDCServerPort>8000</KDCServerPort>
</EmbeddedLDAP

B. Enable LDAP based user store and enable KDC for user and service principles

$WSO2SS_HOME/repository/conf/user-mgt.xml

<!-- Following user manager is used by Identity Server (IS) as its default user manager.
IS will do token replacement when building the product. Therefore do not change the syntax. 
If "kdcEnabled" parameter is true, IS will allow service principle management. 
Thus "ServicePasswordJavaRegEx", "ServiceNameJavaRegEx" properties control the service name 
format and service password formats. -->

<UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager">
 <Property name="TenantManager">org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager</Property>
 <Property name="defaultRealmName">WSO2.ORG</Property>
 <Property name="kdcEnabled">true</Property>
 <Property name="Disabled">false</Property>                                
 <Property name="ConnectionURL">ldap://localhost:${Ports.EmbeddedLDAP.LDAPServerPort}</Property>
 <Property name="ConnectionName">uid=admin,ou=system</Property>
 <Property name="ConnectionPassword">admin</Property>
 <Property name="passwordHashMethod">SHA</Property>
 <Property name="UserNameListFilter">(objectClass=person)</Property>
 <Property name="UserEntryObjectClass">identityPerson</Property>
 <Property name="UserSearchBase">ou=Users,dc=wso2,dc=org</Property>
 <Property name="UserNameSearchFilter">(&amp;(objectClass=person)(uid=?))</Property>
 <Property name="UserNameAttribute">uid</Property>
 <Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property>
 <Property name="ServicePasswordJavaRegEx">^[\\S]{5,30}$</Property>
 <Property name="ServiceNameJavaRegEx">^[\\S]{2,30}/[\\S]{2,30}$</Property>
 <Property name="UsernameJavaScriptRegEx">^[\S]{3,30}$</Property>
 <Property name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
 <Property name="RolenameJavaScriptRegEx">^[\S]{3,30}$</Property>
 <Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
 <Property name="ReadGroups">true</Property>
 <Property name="WriteGroups">true</Property>
 <Property name="EmptyRolesAllowed">true</Property>
 <Property name="GroupSearchBase">ou=Groups,dc=wso2,dc=org</Property>
 <Property name="GroupNameListFilter">(objectClass=groupOfNames)</Property>
 <Property name="GroupEntryObjectClass">groupOfNames</Property>
 <Property name="GroupNameSearchFilter">(&amp;(objectClass=groupOfNames)(cn=?))</Property>
 <Property name="GroupNameAttribute">cn</Property>
 <Property name="SharedGroupNameAttribute">cn</Property>
 <Property name="SharedGroupSearchBase">ou=SharedGroups,dc=wso2,dc=org</Property>
 <Property name="SharedGroupEntryObjectClass">groupOfNames</Property>
 <Property name="SharedGroupNameListFilter">(objectClass=groupOfNames)</Property>
 <Property name="SharedGroupNameSearchFilter">(&amp;(objectClass=groupOfNames)(cn=?))</Property>
 <Property name="SharedTenantNameListFilter">(objectClass=organizationalUnit)</Property>
 <Property name="SharedTenantNameAttribute">ou</Property>
 <Property name="SharedTenantObjectClass">organizationalUnit</Property>
 <Property name="MembershipAttribute">member</Property>
 <Property name="UserRolesCacheEnabled">true</Property>
 <Property name="UserDNPattern">uid={0},ou=Users,dc=wso2,dc=org</Property>
 <Property name="RoleDNPattern">cn={0},ou=Groups,dc=wso2,dc=org</Property>
 <Property name="SCIMEnabled">true</Property>
 <Property name="MaxRoleNameListLength">100</Property>
 <Property name="MaxUserNameListLength">100</Property>
</UserStoreManager>

C. Enable embedded LDAP in WSO2 Carbon

$WSO2SS_HOME/repository/conf/cembedded-ldap.xml

<EmbeddedLDAP>
    <Property name="enable">true</Property>
    <Property name="port">${Ports.EmbeddedLDAP.LDAPServerPort}</Property>
    <Property name="instanceId">default</Property>
    <Property name="connectionPassword">admin</Property>
    <Property name="workingDirectory">.</Property>
    <Property name="AdminEntryObjectClass">wso2Person</Property>
    <Property name="allowAnonymousAccess">false</Property>
    <Property name="accessControlEnabled">true</Property>
    <Property name="denormalizeOpAttrsEnabled">false</Property>
    <Property name="maxPDUSize">2000000</Property>
    <Property name="saslHostName">localhost</Property>
    <Property name="saslPrincipalName">ldap/localhost@EXAMPLE.COM</Property>
</EmbeddedLDAP>

5. Add service principle

Service principles are required for host (host/node0) and admin (admin/node0) services. These principles are used to authenticate system components such as name-node(s), job-tracker, data-nodes and task-trackers mutually.

In the wso2carbon.sh file, change the “Ddisable.hdfs.startup” property to false

$WSO2SS_HOME/bin/wso2server.sh

------
------

#To monitor a Carbon server in remote JMX mode on linux host machines, set the below system property.
#   -Djava.rmi.server.hostname="your.IP.goes.here"

while [ "$status" = "$START_EXIT_STATUS" ]
do
    $JAVACMD \
    -Xbootclasspath/a:"$CARBON_XBOOTCLASSPATH" \
    -Xms256m -Xmx1024m -XX:MaxPermSize=256m \
    -XX:+HeapDumpOnOutOfMemoryError \
    -XX:HeapDumpPath="$CARBON_HOME/repository/logs/heap-dump.hprof" \
    $JAVA_OPTS \
    -Dcom.sun.management.jmxremote \
    -classpath "$CARBON_CLASSPATH" \
    -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" \
    -Djava.io.tmpdir="$CARBON_HOME/tmp" \
    -Dcatalina.base="$CARBON_HOME/lib/tomcat" \
    -Dwso2.server.standalone=true \
    -Dcarbon.registry.root=/ \
    -Djava.command="$JAVACMD" \
    -Dcarbon.home="$CARBON_HOME" \
    -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager \
    -Dcarbon.config.dir.path="$CARBON_HOME/repository/conf" \
    -Djava.util.logging.config.file="$CARBON_HOME/repository/conf/etc/logging-bridge.properties" \
    -Dcomponents.repo="$CARBON_HOME/repository/components/plugins" \
    -Dconf.location="$CARBON_HOME/repository/conf"\
    -Dcom.atomikos.icatch.file="$CARBON_HOME/lib/transactions.properties" \
    -Dcom.atomikos.icatch.hide_init_file_path=true \
    -Dorg.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER=true \
    -Dcom.sun.jndi.ldap.connect.pool.authentication=simple  \
    -Dcom.sun.jndi.ldap.connect.pool.timeout=3000  \
    -Dorg.terracotta.quartz.skipUpdateCheck=true \
    -Djava.security.egd=file:/dev/./urandom \
    -Ddisable.hdfs.startup="false" \
    -Dfile.encoding=UTF8 \
    org.wso2.carbon.bootstrap.Bootstrap $*
    status=$?
done

Start the WSO2 Storage Server

WSO2SS_HOME/bin$sh wso2server.sh

Note: Ignore any errors at this point in time.

Access the Management Console configuration menu and create a new service principal for host/node0 with password node0.

6. Adding users and configure krb5PrincipalName of the embedded LDAP users

Install Apache Directory Studio or any other tools to connect to Embedded LDAP

Change the krb5PrincipalName of the admin user to admin/node0@WSO2.ORG in LDAP and update the password with the same value.

Adding Tenant Admin and Tenant users

Until the cache implementation please follow the below workaround to configure manually for tenant admin/users.

If tenant admin & users created also please create entries in the super tenant level as well.

i.e. Assume you created a tenant domain test.com, and admin as admin1. then logged in from tenant admin and created user tenant1. You will also need to log in as super tenant and create two users, admin1 and tenant1.

Then in the LDAP please go and change the krb5PrincipalName of the newly added entries as follows.

<username>_<Tenant domain>@WSO2.ORG

7. Start datanode of hadoop file system

Currently namenode will up with the server start-up however datanode will not be starting. This has to be done manually.

Restart the WSO2 SS.

WSO2SS_HOME/bin$sh wso2server.sh

In a separate terminal

WSO2SS_HOME$HADOOP_SECURE_DN_USER=<OS Level User> sudo -E bin/hadoop datanode

8. Generate KDC client Ticket (TGT) to authenticate using kinit utility

Currently this has to be done manually. However in future this will be handle within the product itself meaning if your log-in to the management console will automatically generate a ticket for his/her exclusive use internally. For now irrespective of the user permission level when a user login to the management console and browse HDFS File System using a TGT generated for super-tenant user will be able to manage the entire space.

In a separate terminal

To generate a TGT for super-admin

$ kinit admin/node0
Password for admin/node0@WSO2.ORG: <admin>

To generate a TGT for a tenant-user

$ kinit tenant1_test.com
Password for t1user1_test.com@WSO2.ORG:

To

list the ticket: $klist
Renew a ticket: $kinit -R
Delete/Destroy a ticket: $kdestroy

9. Access the HDFS File System

Login to the Management Console and navigate to Home > Manage > hadoop File System > HDFS Explorer

Here you can do the file system(fs) operations such as create dir, rename, upload file, etc. According to the user permission it will listing down the tree structure. If a super-admin user logged in the user should be able to see his own structure and all the tenant domains to do all the fs operations. If it is a tenant-admin then he can only be able to manage his/her domain space. However if it is a tenant user then he can manage what he/her owns.

10. To test the admin services

HDFS Admin Services

HDFSAdmin
HdfsFileUploadDownloader

Edit the HideAdminServiceWSDLs parameter and set it to false and restart the server.

WSO2SS_HOME/repository/conf/carbon.xml

<!-- If this parameter is set, the ?wsdl on an admin service will not give the admin service wsdl. -->
        <HideAdminServiceWSDLs>false</HideAdminServiceWSDLs>

You can access the admin service wsdls

https://localhost:9443/services/HDFSAdmin?wsdl

https://localhost:9443/services/HdfsFileUploadDownloader?wsdl

Now you can use soapUI or any other tool to validate admin service functionality as well.

Note: With the current implementation for the kerberos TGT generation this cannot be used. However with the caching implementation this can be use as well.

11. hadoop file system operations using a terminal

A. To format namenode

WSO2SS_HOME$bin/hadoop namenode -format

B. To format datanode

WSO2SS_HOME$bin/hadoop datanode -format

Warning: This might result in datanode may not start properly due to namespaceID. Whenever namenode is formatted it will generate a new ID which references in datanodes.

When encounter an issue while starting the datanode like java.io.IOException: Incompatible namespaceIDs the refer this blog.

C. hadoop shell commands (Ref 2)

e.g.

WSO2SS_HOME$bin/hadoop fs  -ls /user

References:

Basic Concepts of Kerberos

Basic Concepts of Kerberos

Long Term Key

The KDC stores a cryptographic key known only to the security principal and the KDC. This key is used in exchanges between the security principal and the KDC and is known as a long-term key.A user's long-term key is derived from a password. On the client side, the Kerberos client on the client side workstation accepts the client's password and then converts it to a cryptographic key by passing the text of the password through a one-way hashing function.
The KDC gets its copy of client's long-term key from the respective record in its account database. When it receives a request from the Kerberos client on client's workstation, the KDC searches its database for client, pulls up the releveant account record, and takes the long-term key from a field in the record associated with he account record..

Using the TGT
1. client makes a request to the KDC.
2. KDC responds by returning a session ticket for itself (TGT, a TGT contains a copy of the session key that the service uses to communicate with the client.), and a copy of the session key that the client can use in communicating with the KDC. The TGT is encrypted in the KDC's long-term key. The client's copy of the session key is encrypted in the user's long-term key.
3. When the client receives the KDC's reply to its initial request, it uses its cached copy of the user's long-term key to decrypt its copy of the session key. It can then discard the long-term key derived from the user's password, for it is no longer needed. In all subsequent exchanges with the KDC, the client uses the session key. Like any other session key, this key is temporary, valid only until the TGT expires or the user logs off. For that reason, it is called a logon session key .
4. Before it attempts to connect to a service, the client first checks its credentials cache for a session ticket to that service.
5. If it does not have one, it checks the cache again for a TGT.
6. If it finds a TGT, the client fetches the corresponding logon session key from the cache, uses this key to prepare an authenticator, and sends both the authenticator and the TGT to the KDC, along with a request for a session ticket for the service. In other words, gaining admission to the KDC is no different from gaining admission to any other service in the domain — it requires a session key, an authenticator, and a ticket (in this case, a TGT).
7. From the KDC's point of view, TGTs allow it to shave a few nanoseconds off the turnaround time for ticket requests. The KDC looks up the user's long-term key only once, when it grants an initial TGT. For all other exchanges with this client, the KDC can decrypt the TGT with its own long-term key, extract the logon session key, and use that to validate the client's authenticator.

Reference for Key generation and key usage of a system: http://technet.microsoft.com/en-us/library/cc961976.aspx

Please note the information is not written by myself. This was shared by WSO2 Developer. I'm just sharing here for those who interested about knowing the basics.

Monday, July 22, 2013

WSO2 ESB - Multi HTTPS

WSO2 ESB - Multi HTTPS

(1) Assign more IP addresses to a physical device.

We will be using three addresses to associate distinct SSL context with.

192.168.1.2
192.168.1.3
192.168.1.4

Add those addressed to an existing network interface (wlan0 in my case).

---
root@ubuntu:~# ip addr add 192.168.1.2/24 dev wlan0 label wlan0:0
root@ubuntu:~# ip addr add 192.168.1.3/24 dev wlan0 label wlan0:1
root@ubuntu:~# ip addr add 192.168.1.4/24 dev wlan0 label wlan0:2
root@ubuntu:~# ip addr show
2: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether c4:85:08:1a:91:8b brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.121/24 brd 192.168.1.255 scope global wlan0
    inet 192.168.1.2/24 scope global secondary wlan0:0
    inet 192.168.1.3/24 scope global secondary wlan0:0
    inet 192.168.1.4/24 scope global secondary wlan0:0
    inet6 fe80::c685:8ff:fe1a:918b/64 scope link
       valid_lft forever preferred_lft forever
---

(2) Add host entries to /etc/hosts

---
192.168.1.2 testhost1
192.168.1.3 testhost2
192.168.1.4 testhost3
---

Make sure all addresses respond to ping.

(2) Generate a SSL certificate for each IP address.

Certificate Details:
        Serial Number: 13642278243717938869 (0xbd531bc863d8feb5)
        Validity
            Not Before: Feb 12 14:05:20 2013 GMT
            Not After : Feb 12 14:05:20 2014 GMT
        Subject:
            countryName               = CH
            stateOrProvinceName       = ZH
            organizationName          = OK2C
            commonName                = testhost1
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Subject Key Identifier:
                90:CD:AE:2D:8A:EA:0E:9A:5E:B1:9F:02:DB:38:CE:00:D1:64:E8:89
            X509v3 Authority Key Identifier:
                keyid:80:74:26:CE:27:3D:66:A3:83:1F:68:BA:2E:59:02:7D:B8:4E:95:42

            X509v3 Subject Alternative Name:
                email:root@testhost1

Certificate Details:
        Serial Number: 13642278243717938870 (0xbd531bc863d8feb6)
        Validity
            Not Before: Feb 12 14:08:07 2013 GMT
            Not After : Feb 12 14:08:07 2014 GMT
        Subject:
            countryName               = CH
            stateOrProvinceName       = ZH
            organizationName          = OK2C
            commonName                = testhost2
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Subject Key Identifier:
                93:E5:04:83:86:6B:8E:D6:6F:61:A4:C1:F9:9D:EE:80:50:3A:89:43
            X509v3 Authority Key Identifier:
                keyid:80:74:26:CE:27:3D:66:A3:83:1F:68:BA:2E:59:02:7D:B8:4E:95:42

            X509v3 Subject Alternative Name:
                email:root@testhost2

Certificate Details:
        Serial Number: 13642278243717938871 (0xbd531bc863d8feb7)
        Validity
            Not Before: Feb 12 14:11:25 2013 GMT
            Not After : Feb 12 14:11:25 2014 GMT
        Subject:
            countryName               = CH
            stateOrProvinceName       = ZH
            organizationName          = OK2C
            commonName                = testhost3
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Subject Key Identifier:
                2B:F3:01:94:AC:9A:0C:81:37:2C:7B:62:EC:0C:10:F8:99:17:20:56
            X509v3 Authority Key Identifier:
                keyid:80:74:26:CE:27:3D:66:A3:83:1F:68:BA:2E:59:02:7D:B8:4E:95:42

            X509v3 Subject Alternative Name:
                email:root@testhost3

(5) Store testhost key material in PKCS12 format.

(6) Generate a test user certificate to be used for client authentication with one of the test hosts.

Certificate Details:
        Serial Number: 13642278243717938872 (0xbd531bc863d8feb8)
        Validity
            Not Before: Feb 13 19:14:15 2013 GMT
            Not After : Feb 13 19:14:15 2014 GMT
        Subject:
            countryName               = CH
            stateOrProvinceName       = ZH
            organizationName          = OK2C
            commonName                = Test User
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Subject Key Identifier:
                70:43:FD:C5:4B:AE:1A:C5:AC:41:3E:79:8B:71:3A:A3:BD:45:1B:D2
            X509v3 Authority Key Identifier:
                keyid:80:74:26:CE:27:3D:66:A3:83:1F:68:BA:2E:59:02:7D:B8:4E:95:42

            X509v3 Subject Alternative Name:
                email:testuser@testdomain

(7) Store test user key material in format recognizable by curl by concatenating private key and key certificate

---
cat testuser.key testuser.crt > testuser.curl
---

(9) Generate JKS trust store containing Test Root CA certificate.

(10) Configure Synapse to use multi-profile listener with three profiles.

Configure 192.168.1.2 and 192.168.1.3 to not require client authentication. Configure 192.168.1.4 to trust Test Root CA only and to require client authentication.

---
    <transportReceiver name="multi-https" class="org.apache.synapse.transport.nhttp.HttpCoreNIOMultiSSLListener">
        <parameter name="port">8343</parameter>
        <parameter name="non-blocking">true</parameter>
        <parameter name="SSLProfiles">
            <profile>
                <bindAddress>192.168.1.2</bindAddress>
                <KeyStore>
                    <Location>/home/oleg/src/wso2.com/multiple-ssl-profiles/CA/testhost1.p12</Location>
                    <Type>PKCS12</Type>
                    <Password>test</Password>
                    <KeyPassword>test</KeyPassword>
                </KeyStore>
            </profile>
            <profile>
                <bindAddress>192.168.1.3</bindAddress>
                <KeyStore>
                    <Location>/home/oleg/src/wso2.com/multiple-ssl-profiles/CA/testhost2.p12</Location>
                    <Type>PKCS12</Type>
                    <Password>test</Password>
                    <KeyPassword>test</KeyPassword>
                </KeyStore>
            </profile>
            <profile>
                <bindAddress>192.168.1.4</bindAddress>
                <KeyStore>
                    <Location>/home/oleg/src/wso2.com/multiple-ssl-profiles/CA/testhost3.p12</Location>
                    <Type>PKCS12</Type>
                    <Password>test</Password>
                    <KeyPassword>test</KeyPassword>
                </KeyStore>
                <TrustStore>
                    <Location>/home/oleg/src/wso2.com/multiple-ssl-profiles/CA/testtrust.jks</Location>
                    <Type>JKS</Type>
                    <Password>nopassword</Password>
                </TrustStore>
                <SSLVerifyClient>require</SSLVerifyClient>
            </profile>
        </parameter>
    </transportReceiver>
---

(11) Restart Synapse and make sure all SSL listener endpoints are properly configured and are active.

You should see the following INFO messages in the execution log

---
...
2013-02-14 11:24:08,794 [-] [main] INFO ListenerContextBuilder MULTI-HTTPS Loading Identity Keystore from : /home/oleg/src/wso2.com/multiple-ssl-profiles/CA/testhost1.p12
2013-02-14 11:24:08,947 [-] [main] INFO ListenerContextBuilder MULTI-HTTPS Subject DN: CN=testhost1, O=OK2C, ST=ZH, C=CH
2013-02-14 11:24:08,948 [-] [main] INFO ListenerContextBuilder MULTI-HTTPS Issuer DN: CN=Test CA Root, O=OK2C, ST=ZH, C=CH
2013-02-14 11:24:09,046 [-] [main] INFO ListenerContextBuilder MULTI-HTTPS Loading Identity Keystore from : /home/oleg/src/wso2.com/multiple-ssl-profiles/CA/testhost2.p12
2013-02-14 11:24:09,058 [-] [main] INFO ListenerContextBuilder MULTI-HTTPS Subject DN: CN=testhost2, O=OK2C, ST=ZH, C=CH
2013-02-14 11:24:09,059 [-] [main] INFO ListenerContextBuilder MULTI-HTTPS Issuer DN: CN=Test CA Root, O=OK2C, ST=ZH, C=CH
2013-02-14 11:24:09,063 [-] [main] INFO ListenerContextBuilder MULTI-HTTPS Loading Identity Keystore from : /home/oleg/src/wso2.com/multiple-ssl-profiles/CA/testhost3.p12
2013-02-14 11:24:09,083 [-] [main] INFO ListenerContextBuilder MULTI-HTTPS Subject DN: CN=testhost3, O=OK2C, ST=ZH, C=CH
2013-02-14 11:24:09,083 [-] [main] INFO ListenerContextBuilder MULTI-HTTPS Issuer DN: CN=Test CA Root, O=OK2C, ST=ZH, C=CH
2013-02-14 11:24:09,084 [-] [main] INFO ListenerContextBuilder MULTI-HTTPS Loading Trust Keystore from : /home/oleg/src/wso2.com/multiple-ssl-profiles/CA/testtrust.jks
...
2013-02-14 11:24:09,259 [-] [main] INFO HttpCoreNIOListener MULTI-HTTPS Listener started on testhost1:8343
2013-02-14 11:24:09,260 [-] [main] INFO HttpCoreNIOListener MULTI-HTTPS Listener started on testhost2:8343
2013-02-14 11:24:09,260 [-] [main] INFO HttpCoreNIOListener MULTI-HTTPS Listener started on testhost3:8343
---

(12) Prepare request message and store it in tmp.xml file.

---
<?xml version='1.0' encoding='UTF-8'?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
    <soapenv:Header xmlns:wsa="http://www.w3.org/2005/08/addressing">
      <wsa:To>http://localhost:9000/services/SimpleStockQuoteService</wsa:To>
      <wsa:MessageID>urn:uuid:18796751-bd3a-4c96-966a-e463b2dfc179</wsa:MessageID>
      <wsa:Action>urn:getQuote</wsa:Action>
    </soapenv:Header>
    <soapenv:Body>
      <m0:getQuote xmlns:m0="http://services.samples"><m0:request><m0:symbol>IBM</m0:symbol></m0:request></m0:getQuote>
   </soapenv:Body>
</soapenv:Envelope>
---

(12) Execute a request against non-SSL listener using curl to make all components work correctly. Ensure the response content is correct.

---
curl -X POST -H 'Content-Type: text/xml; charset=UTF-8' -H 'SOAPAction: "urn:getQuote"' -d @tmp.xml -v http://localhost:8280/
---

(13) Execute a request against testhost1 SSL listener using curl without appropriate trust material.

---
curl -X POST -H 'Content-Type: text/xml; charset=UTF-8' -H 'SOAPAction: "urn:getQuote"' -d @tmp.xml -v https://testhost1:8343/
---

Make sure connection is rejected by the client due to failure to verify server identity.

---
* About to connect() to testhost1 port 8343 (#0)
*   Trying 192.168.1.2...
* connected
* Connected to testhost1 (192.168.1.2) port 8343 (#0)
* successfully set certificate verify locations:
*   CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection #0
curl: (60) SSL certificate problem: unable to get local issuer certificate
---

(14) Execute a request against testhost1 SSL listener using curl with appropriate trust material.

---
curl -X POST -H 'Content-Type: text/xml; charset=UTF-8' -H 'SOAPAction: "urn:getQuote"' -d @tmp.xml --cacert CA/cacert.pem -v https://testhost1:8343/
---

Make sure the server's identity is correctly established and verified.

---
* About to connect() to testhost1 port 8343 (#0)
*   Trying 192.168.1.2...
* connected
* Connected to testhost1 (192.168.1.2) port 8343 (#0)
* successfully set certificate verify locations:
*   CAfile: CA/cacert.pem
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using ECDHE-RSA-DES-CBC3-SHA
* Server certificate:
*     subject: C=CH; ST=ZH; O=OK2C; CN=testhost1
*     start date: 2013-02
*     expire date: 2014-02
*     common name: testhost1 (matched)
*     issuer: C=CH; S
*     SSL certificate verify ok.
---

(15) Execute a request against testhost2 multi SSL listener using curl with appropriate trust material.

---
curl -X POST -H 'Content-Type: text/xml; charset=UTF-8' -H 'SOAPAction: "urn:getQuote"' -d @tmp.xml --cacert CA/cacert.pem -v https://testhost2:8343
---

Make sure the server's identity is correctly established and verified.

---
* About to connect() to testhost2 port 8343 (#0)
*   Trying 192.168.1.3...
* connected
* Connected to testhost2 (192.168.1.3) port 8343 (#0)
* successfully set certificate verify locations:
*   CAfile: CA/cacert.pem
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using ECDHE-RSA-DES-CBC3-SHA
* Server certificate:
*     subject: C=CH; ST=ZH; O=OK2C; CN=testhost2
*     start date: 2013-02
*     expire date: 2014-02
*     common name: testhost2 (matched)
*     issuer: C=CH; S
*     SSL certificate verify ok.
---

(16) Execute a request against testhost3 multi SSL listener using curl with appropriate trust material.

---
curl -X POST -H 'Content-Type: text/xml; charset=UTF-8' -H 'SOAPAction: "urn:getQuote"' -d @tmp.xml --cacert CA/cacert.pem -v https://testhost3:8343
---

Make sure the connection is rejected by the server due to the client failure to authenticate.

---
* About to connect() to testhost3 port 8343 (#0)
*   Trying 192.168.1.4...
* connected
* Connected to testhost3 (192.168.1.4) port 8343 (#0)
* successfully set certificate verify locations:
*   CAfile: CA/cacert.pem
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Request CERT (13):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* Unknown SSL protocol error in connection to testhost3:8343
* Closing connection #0
---

(17) Execute a request against testhost3 multi SSL listener using curl with appropriate trust material and user private key.

---
curl -X POST -H 'Content-Type: text/xml; charset=UTF-8' -H 'SOAPAction: "urn:getQuote"' -d @tmp.xml --cacert CA/cacert.pem --cert CA/testuser.curl:test -v https://testhost3:8343
---

Make sure the server's identity is correctly established and verified.

---
* About to connect() to testhost3 port 8343 (#0)
*   Trying 192.168.1.4...
* connected
* Connected to testhost3 (192.168.1.4) port 8343 (#0)
* successfully set certificate verify locations:
*   CAfile: CA/cacert.pem
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Request CERT (13):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS handshake, CERT verify (15):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using ECDHE-RSA-DES-CBC3-SHA
* Server certificate:
*     subject: C=CH; ST=ZH; O=OK2C; CN=testhost3
*     start date: 2013-02
*     expire date: 2014-02
*     common name: testhost3 (matched)
*     issuer: C=CH; S
*     SSL certificate verify ok.
---
Required artifacts can be downloaded from HERE

Thanks to the developer for sharing this information with me.

WSO2 ESB 4.7 HTTP Endpoint

WSO2 ESB 4.7 HTTP Endpoint

SOAP client to REST back-end service using HTTP End point

Step 1: Build "SimpleStockQuoteService" service and start "axis2Server"

$ESB_HOME\samples\axis2Server\src\SimpleStockQuoteService>ant
$ESB_HOME\samples\axis2Server>axis2server.sh (or .bat)

Step 2: Create a HTTP endpoint ((say, HTTPEndPoint)

<endpoint xmlns="http://ws.apache.org/ns/synapse" name="HTTPEndPoint">
   <http uri-template="https://localhost:9100/{uri.var.path}/{uri.var.name}" method="post">
      <suspendOnFailure>
         <progressionFactor>1.0</progressionFactor>
      </suspendOnFailure>
      <markForSuspension>
         <retriesBeforeSuspension>0</retriesBeforeSuspension>
         <retryDelay>0</retryDelay>
      </markForSuspension>
   </http>
</endpoint>

Step 3: Create a pass through proxy with the endpoint defined above(Say TestProxy)

<proxy xmlns="http://ws.apache.org/ns/synapse" name="TestProxy" transports="https,http" statistics="disable" trace="disable" startOnLoad="true">
   <target>
      <inSequence>
         <property name="uri.var.path" value="services"/>
         <property name="uri.var.name" value="SimpleStockQuoteService"/>
         <send>
            <endpoint key="HTTPEndPoint"/>
         </send>
      </inSequence>
      <outSequence>
         <send/>
      </outSequence>
   </target>
   <description></description>
</proxy>

Step 4: Place a client request from the AXIS2CLIENT folder ($ESB_HOME/samples/axis2Client)
e.g. ant stockquote -Dsymbol=IBM -Dmode=quote -Daddurl=http://localhost:8280/services/TestProxy

Note: TCPMon can be placed between Client & WSO2 ESB and WSO2 ESB & Back End Service to monitor the request and responses.

This is for HTTP Method 'POST' only. If you want to configure for rest of the methods such as GET|DELETE|PUT, etc change the HTTP method as appropriate.

<http uri-template="https://localhost:9100/{uri.var.path}/{uri.var.name}" method="get">

Also this can be invoked and verified for https as well. However due to encription TCPMon cannot be use for monitoring. Tools such as Wireshark with Fidler might be helpful for HTTPS traffic analysing.

HTTP GET

<endpoint xmlns="http://ws.apache.org/ns/synapse" name="HttpEpGET">
   <http uri-template="http://localhost:9765/jaxrs_basic/services/customers/customerservice/customers/{uri.var.id}" method="get">
      <suspendOnFailure>
         <progressionFactor>1.0</progressionFactor>
      </suspendOnFailure>
      <markForSuspension>
         <retriesBeforeSuspension>0</retriesBeforeSuspension>
         <retryDelay>0</retryDelay>
      </markForSuspension>
   </http>
</endpoint>

<proxy xmlns="http://ws.apache.org/ns/synapse" name="JAXRS" transports="https,http" statistics="disable" trace="disable" startOnLoad="true">
   <target>
      <inSequence>
         <property name="messageType" value="application/xml" scope="axis2"/>
         <property name="ContentType" value="application/xml" scope="axis2"/>
         <property name="uri.var.id" expression="$body/Customer/id"/>
         <log level="full"/>
         <log level="custom">
            <property name="ID" expression="get-property('uri.var.id')"/>
            <property name="$body" expression="$body/Customer/id"/>
         </log>
         <send>
            <endpoint key="HttpEpGET"/>
         </send>
      </inSequence>
      <outSequence>
         <send/>
      </outSequence>
   </target>
   <description></description>
</proxy>

HTTP DELETE

The above endpoint method can be set to 'delete' to test the DELETE method.

HTTP PUT

<endpoint xmlns="http://ws.apache.org/ns/synapse" name="HttpEpPUT">
   <http uri-template="http://localhost:9765/jaxrs_basic/services/customers/customerservice/{uri.var.service}" method="put">
      <suspendOnFailure>
         <progressionFactor>1.0</progressionFactor>
      </suspendOnFailure>
      <markForSuspension>
         <retriesBeforeSuspension>0</retriesBeforeSuspension>
         <retryDelay>0</retryDelay>
      </markForSuspension>
   </http>
</endpoint>

<proxy xmlns="http://ws.apache.org/ns/synapse" name="JAXRSPUT" transports="https,http" statistics="disable" trace="disable" startOnLoad="true">
   <target>
      <inSequence>
         <property name="messageType" value="application/xml" scope="axis2"/>
         <property name="ContentType" value="application/xml" scope="axis2"/>
         <property name="uri.var.service" value="customers"/>
         <log level="full"/>
         <send>
            <endpoint key="HttpEpPUT"/>
         </send>
      </inSequence>
      <outSequence>
         <send/>
      </outSequence>
   </target>
   <description></description>
</proxy>

HTTP POST

The above endpoint method can be set to 'post' to test the POST method.

References:
1. http://docs.wso2.org/wiki/display/ESB470/Using+REST+with+a+Proxy+Service
2. http://docs.wso2.org/wiki/display/AS501/JAX-RS+Basics