Thursday, December 5, 2013

HDFS Configuration

Guide to setup WSO2 SS for HDFS

Here we assume user is using the embedded LDAP shipped with the product being used for the setup. If the external LDAP needs to be configured in production environment then there should be additional configuration required in Kerberos side. Also this guide written for Linux environment in mind (Ubuntu to be precise)

Kerberos Configuration

1. To install Kerberos in Ubuntu environment

sudo apt-get install krb5-kdc krb5-admin-server

2. To configure the realms, edit the krb5.conf file (/etc/krb5.conf)


Take a back-up of original file. Please add only the below details.
[libdefaults]
        default_realm = WSO2.ORG
        default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
        default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
        permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
        allow_weak_crypto = true
        renew_lifetime = 10m
        ticket_lifetime = 10m


[realms]
        WSO2.ORG = {
                kdc = 127.0.0.1:8000
                admin_server = 1.1.1.1:9999
        }

[domain_realm]
        .wso2.org = WSO2.ORG
        wso2.org = WSO2.ORG

[login]
        krb4_convert = true
        krb4_get_tickets = false

Note: renew_lifetime, ticket_lifetime parameters should be set according to the requirement as these are the life time defined for the Tickets (TGT) generated from the client side. If you are using external LDAP then realms parameter should match with the external LDAP server settings.


The letter used on those parameters denotes as below. More information is available from the internet.

d - days
h - hours
m- minutes
s - seconds


3. Create keytab with service principles



To create a keytab with the below service principals we will be using the ktutil utility

  • admin/node0 - password: admin
  • host/node0 - password : node0

To cache a principle key from the ktutil prompt

ktutil: addent -password -p <your principle> -k 1 -e <encryption algo>


Write keytab for the service principle

ktutil : write_kt <keytab file name>
e.g.
user@hostname:~$ ktutil
ktutil:  addent -password -p admin/node0@WSO2.ORG -k 1 -e des-cbc-md5
Password for admin/node0@WSO2.ORG:<admin>

ktutil:  addent -password -p host/node0@WSO2.ORG -k 1 -e des-cbc-md5
Password for host/node0@WSO2.ORG:<node0>

ktutil:  wkt hdfs2.keytab

ktutil: quit

From the same disk location keytab file created with the name hdfs2.keytab.

Take a backup or rename the carbon.keytab file originally packed with the product.
$WSO2SS_HOME/repository/conf/etc/hadoop/keytabs

Please copy or move hdfs2.keytab file to the above location and rename as carbon.keytab


4. Setup WSO2 SS with directory service (Embedded LDAP) and KDC



Please note the below configurations already been added and enabled for the product. The user probably may not require to configure in the case of embedded LDAP.

A. To configure carbon.xml
$WSO2SS_HOME/repository/conf/carbon.xml
<EmbeddedLDAP>
 <!-- Port which embedded LDAP server runs -->
 <LDAPServerPort>10389</LDAPServerPort>
 <!-- Port which KDC (Kerberos Key Distribution Center) server runs -->
 <!--KDCServerPort>8000</KDCServerPort-->
 <KDCServerPort>8000</KDCServerPort>
</EmbeddedLDAP

B. Enable LDAP based user store and enable KDC for user and service principles

$WSO2SS_HOME/repository/conf/user-mgt.xml
<!-- Following user manager is used by Identity Server (IS) as its default user manager.
IS will do token replacement when building the product. Therefore do not change the syntax. 
If "kdcEnabled" parameter is true, IS will allow service principle management. 
Thus "ServicePasswordJavaRegEx", "ServiceNameJavaRegEx" properties control the service name 
format and service password formats. -->

<UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager">
 <Property name="TenantManager">org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager</Property>
 <Property name="defaultRealmName">WSO2.ORG</Property>
 <Property name="kdcEnabled">true</Property>
 <Property name="Disabled">false</Property>                                
 <Property name="ConnectionURL">ldap://localhost:${Ports.EmbeddedLDAP.LDAPServerPort}</Property>
 <Property name="ConnectionName">uid=admin,ou=system</Property>
 <Property name="ConnectionPassword">admin</Property>
 <Property name="passwordHashMethod">SHA</Property>
 <Property name="UserNameListFilter">(objectClass=person)</Property>
 <Property name="UserEntryObjectClass">identityPerson</Property>
 <Property name="UserSearchBase">ou=Users,dc=wso2,dc=org</Property>
 <Property name="UserNameSearchFilter">(&amp;(objectClass=person)(uid=?))</Property>
 <Property name="UserNameAttribute">uid</Property>
 <Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property>
 <Property name="ServicePasswordJavaRegEx">^[\\S]{5,30}$</Property>
 <Property name="ServiceNameJavaRegEx">^[\\S]{2,30}/[\\S]{2,30}$</Property>
 <Property name="UsernameJavaScriptRegEx">^[\S]{3,30}$</Property>
 <Property name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
 <Property name="RolenameJavaScriptRegEx">^[\S]{3,30}$</Property>
 <Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
 <Property name="ReadGroups">true</Property>
 <Property name="WriteGroups">true</Property>
 <Property name="EmptyRolesAllowed">true</Property>
 <Property name="GroupSearchBase">ou=Groups,dc=wso2,dc=org</Property>
 <Property name="GroupNameListFilter">(objectClass=groupOfNames)</Property>
 <Property name="GroupEntryObjectClass">groupOfNames</Property>
 <Property name="GroupNameSearchFilter">(&amp;(objectClass=groupOfNames)(cn=?))</Property>
 <Property name="GroupNameAttribute">cn</Property>
 <Property name="SharedGroupNameAttribute">cn</Property>
 <Property name="SharedGroupSearchBase">ou=SharedGroups,dc=wso2,dc=org</Property>
 <Property name="SharedGroupEntryObjectClass">groupOfNames</Property>
 <Property name="SharedGroupNameListFilter">(objectClass=groupOfNames)</Property>
 <Property name="SharedGroupNameSearchFilter">(&amp;(objectClass=groupOfNames)(cn=?))</Property>
 <Property name="SharedTenantNameListFilter">(objectClass=organizationalUnit)</Property>
 <Property name="SharedTenantNameAttribute">ou</Property>
 <Property name="SharedTenantObjectClass">organizationalUnit</Property>
 <Property name="MembershipAttribute">member</Property>
 <Property name="UserRolesCacheEnabled">true</Property>
 <Property name="UserDNPattern">uid={0},ou=Users,dc=wso2,dc=org</Property>
 <Property name="RoleDNPattern">cn={0},ou=Groups,dc=wso2,dc=org</Property>
 <Property name="SCIMEnabled">true</Property>
 <Property name="MaxRoleNameListLength">100</Property>
 <Property name="MaxUserNameListLength">100</Property>
</UserStoreManager>

C. Enable embedded LDAP in WSO2 Carbon

$WSO2SS_HOME/repository/conf/cembedded-ldap.xml
<EmbeddedLDAP>
    <Property name="enable">true</Property>
    <Property name="port">${Ports.EmbeddedLDAP.LDAPServerPort}</Property>
    <Property name="instanceId">default</Property>
    <Property name="connectionPassword">admin</Property>
    <Property name="workingDirectory">.</Property>
    <Property name="AdminEntryObjectClass">wso2Person</Property>
    <Property name="allowAnonymousAccess">false</Property>
    <Property name="accessControlEnabled">true</Property>
    <Property name="denormalizeOpAttrsEnabled">false</Property>
    <Property name="maxPDUSize">2000000</Property>
    <Property name="saslHostName">localhost</Property>
    <Property name="saslPrincipalName">ldap/localhost@EXAMPLE.COM</Property>
</EmbeddedLDAP>

5. Add service principle


Service principles are required for host (host/node0) and admin (admin/node0) services. These principles are used to authenticate system components such as name-node(s), job-tracker, data-nodes and task-trackers mutually.

In the wso2carbon.sh file, change the “Ddisable.hdfs.startup” property to false

$WSO2SS_HOME/bin/wso2server.sh
------
------

#To monitor a Carbon server in remote JMX mode on linux host machines, set the below system property.
#   -Djava.rmi.server.hostname="your.IP.goes.here"

while [ "$status" = "$START_EXIT_STATUS" ]
do
    $JAVACMD \
    -Xbootclasspath/a:"$CARBON_XBOOTCLASSPATH" \
    -Xms256m -Xmx1024m -XX:MaxPermSize=256m \
    -XX:+HeapDumpOnOutOfMemoryError \
    -XX:HeapDumpPath="$CARBON_HOME/repository/logs/heap-dump.hprof" \
    $JAVA_OPTS \
    -Dcom.sun.management.jmxremote \
    -classpath "$CARBON_CLASSPATH" \
    -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" \
    -Djava.io.tmpdir="$CARBON_HOME/tmp" \
    -Dcatalina.base="$CARBON_HOME/lib/tomcat" \
    -Dwso2.server.standalone=true \
    -Dcarbon.registry.root=/ \
    -Djava.command="$JAVACMD" \
    -Dcarbon.home="$CARBON_HOME" \
    -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager \
    -Dcarbon.config.dir.path="$CARBON_HOME/repository/conf" \
    -Djava.util.logging.config.file="$CARBON_HOME/repository/conf/etc/logging-bridge.properties" \
    -Dcomponents.repo="$CARBON_HOME/repository/components/plugins" \
    -Dconf.location="$CARBON_HOME/repository/conf"\
    -Dcom.atomikos.icatch.file="$CARBON_HOME/lib/transactions.properties" \
    -Dcom.atomikos.icatch.hide_init_file_path=true \
    -Dorg.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER=true \
    -Dcom.sun.jndi.ldap.connect.pool.authentication=simple  \
    -Dcom.sun.jndi.ldap.connect.pool.timeout=3000  \
    -Dorg.terracotta.quartz.skipUpdateCheck=true \
    -Djava.security.egd=file:/dev/./urandom \
    -Ddisable.hdfs.startup="false" \
    -Dfile.encoding=UTF8 \
    org.wso2.carbon.bootstrap.Bootstrap $*
    status=$?
done

Start the WSO2 Storage Server
WSO2SS_HOME/bin$sh wso2server.sh
Note: Ignore any errors at this point in time.

Access the Management Console configuration menu and create a new service principal for host/node0 with password node0.









6. Adding users and configure krb5PrincipalName of the embedded LDAP users

 

Install Apache Directory Studio or any other tools to connect to Embedded LDAP









































Change the krb5PrincipalName of the admin user to admin/node0@WSO2.ORG in LDAP and update the password with the same value.

























Adding Tenant Admin and Tenant users

Until the cache implementation please follow the below workaround to configure manually for tenant admin/users.

If tenant admin & users created also please create entries in the super tenant level as well.

i.e. Assume you created a tenant domain test.com, and admin as admin1. then logged in from tenant admin and created user tenant1. You will also need to log in as super tenant and create two users, admin1 and tenant1.

Then in the LDAP please go and change the krb5PrincipalName of the newly added entries as follows.

<username>_<Tenant domain>@WSO2.ORG

 7. Start datanode of hadoop file system

Currently namenode will up with the server start-up however datanode will not be starting. This has to be done manually.

Restart the WSO2 SS.
WSO2SS_HOME/bin$sh wso2server.sh

In a separate terminal

WSO2SS_HOME$HADOOP_SECURE_DN_USER=<OS Level User> sudo -E bin/hadoop datanode

8. Generate KDC client Ticket (TGT) to authenticate using kinit utility


Currently this has to be done manually. However in future this will be handle within the product itself meaning if your log-in to the management console will automatically generate a ticket for his/her exclusive use internally. For now irrespective of the user permission level when a user login to the management console and browse HDFS File System using a TGT generated for super-tenant user will be able to manage the entire space.

In a separate terminal

To generate a TGT for super-admin

$ kinit admin/node0
Password for admin/node0@WSO2.ORG: <admin>

To generate a TGT for a tenant-user

$ kinit tenant1_test.com
Password for t1user1_test.com@WSO2.ORG:

To
  • list the ticket: $klist
  • Renew a ticket: $kinit -R
  • Delete/Destroy a ticket: $kdestroy

9. Access the HDFS File System


Login to the Management Console and navigate to Home > Manage > hadoop File System > HDFS Explorer


Here you can do the file system(fs) operations such as create dir, rename, upload file, etc. According to the user permission it will listing down the tree structure. If a super-admin user logged in the user should be able to see his own structure and all the tenant domains to do all the fs operations. If it is a tenant-admin then he can only be able to manage his/her domain space. However if it is a tenant user then he can manage what he/her owns.






 











 







10. To test the admin services


HDFS Admin Services
    • HDFSAdmin
    • HdfsFileUploadDownloader
      Edit the HideAdminServiceWSDLs parameter and set it to false and restart the server.

      WSO2SS_HOME/repository/conf/carbon.xml
      <!-- If this parameter is set, the ?wsdl on an admin service will not give the admin service wsdl. -->
              <HideAdminServiceWSDLs>false</HideAdminServiceWSDLs>

       You can access the admin service wsdls

      Now you can use soapUI or any other tool to validate admin service functionality as well.

      Note: With the current implementation for the kerberos TGT generation this cannot be used. However with the caching implementation this can be use as well.

      11. hadoop file system operations using a terminal


      A. To format namenode

      WSO2SS_HOME$bin/hadoop namenode -format

      B. To format datanode

      WSO2SS_HOME$bin/hadoop datanode -format

      Warning: This might result in datanode may not start properly due to namespaceID. Whenever namenode is formatted it will generate a new ID which references in datanodes.

      When encounter an issue while starting the datanode like java.io.IOException: Incompatible namespaceIDs the refer this blog.


      C. hadoop shell commands (Ref 2)

      e.g.
      WSO2SS_HOME$bin/hadoop fs  -ls /user

      References:
        1. Basic concepts of Kerberos 
        2. hadoop


          Basic Concepts of Kerberos


                                            Basic Concepts of Kerberos

          Long Term Key 

          The KDC stores a cryptographic key known only to the security principal and the KDC. This key is used in exchanges between the security principal and the KDC and is known as a long-term key.A user's long-term key is derived from a password. On the client side, the Kerberos client on the client side workstation accepts the client's password and then converts it to a cryptographic key by passing the text of the password through a one-way hashing function.
          The KDC gets its copy of client's long-term key from the respective record in its account database. When it receives a request from the Kerberos client on client's workstation, the KDC searches its database for client, pulls up the releveant account record, and takes the long-term key from a field in the record associated with he account record..

          Using the TGT
          1. client makes a request to the KDC.
          2. KDC responds by returning a session ticket for itself (TGT, a TGT contains a copy of the session key that the service uses to communicate with the client.), and a copy of the session key that the client can use in communicating with the KDC. The TGT is encrypted in the KDC's long-term key. The client's copy of the session key is encrypted in the user's long-term key.
          3. When the client receives the KDC's reply to its initial request, it uses its cached copy of the user's long-term key to decrypt its copy of the session key. It can then discard the long-term key derived from the user's password, for it is no longer needed. In all subsequent exchanges with the KDC, the client uses the session key. Like any other session key, this key is temporary, valid only until the TGT expires or the user logs off. For that reason, it is called a logon session key .
          4.  Before it attempts to connect to a service, the client first checks its credentials cache for a session ticket to that service.
          5. If it does not have one, it checks the cache again for a TGT. 
          6. If it finds a TGT, the client fetches the corresponding logon session key from the cache, uses this key to prepare an authenticator, and sends both the authenticator and the TGT to the KDC, along with a request for a session ticket for the service. In other words, gaining admission to the KDC is no different from gaining admission to any other service in the domain — it requires a session key, an authenticator, and a ticket (in this case, a TGT).
          7. From the KDC's point of view, TGTs allow it to shave a few nanoseconds off the turnaround time for ticket requests. The KDC looks up the user's long-term key only once, when it grants an initial TGT. For all other exchanges with this client, the KDC can decrypt the TGT with its own long-term key, extract the logon session key, and use that to validate the client's authenticator.


          Reference for Key generation and key usage of a system: http://technet.microsoft.com/en-us/library/cc961976.aspx

          Please note the information is not written by myself. This was shared by WSO2 Developer. I'm just sharing here for those who interested about knowing the basics.

          Monday, July 22, 2013

          WSO2 ESB - Multi HTTPS

          WSO2 ESB - Multi HTTPS

          (1) Assign more IP addresses to a physical device.

          We will be using three addresses to associate distinct SSL context with.

          192.168.1.2
          192.168.1.3
          192.168.1.4

          Add those addressed to an existing network interface (wlan0 in my case).

          ---
          root@ubuntu:~# ip addr add 192.168.1.2/24 dev wlan0 label wlan0:0
          root@ubuntu:~# ip addr add 192.168.1.3/24 dev wlan0 label wlan0:1
          root@ubuntu:~# ip addr add 192.168.1.4/24 dev wlan0 label wlan0:2
          root@ubuntu:~# ip addr show
          2: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
              link/ether c4:85:08:1a:91:8b brd ff:ff:ff:ff:ff:ff
              inet 192.168.1.121/24 brd 192.168.1.255 scope global wlan0
              inet 192.168.1.2/24 scope global secondary wlan0:0
              inet 192.168.1.3/24 scope global secondary wlan0:0
              inet 192.168.1.4/24 scope global secondary wlan0:0
              inet6 fe80::c685:8ff:fe1a:918b/64 scope link
                 valid_lft forever preferred_lft forever
          ---

          (2) Add host entries to /etc/hosts

          ---
          192.168.1.2 testhost1
          192.168.1.3 testhost2
          192.168.1.4 testhost3
          ---

          Make sure all addresses respond to ping.

          (2) Generate a SSL certificate for each IP address.

          Certificate Details:
                  Serial Number: 13642278243717938869 (0xbd531bc863d8feb5)
                  Validity
                      Not Before: Feb 12 14:05:20 2013 GMT
                      Not After : Feb 12 14:05:20 2014 GMT
                  Subject:
                      countryName               = CH
                      stateOrProvinceName       = ZH
                      organizationName          = OK2C
                      commonName                = testhost1
                  X509v3 extensions:
                      X509v3 Basic Constraints:
                          CA:FALSE
                      X509v3 Subject Key Identifier:
                          90:CD:AE:2D:8A:EA:0E:9A:5E:B1:9F:02:DB:38:CE:00:D1:64:E8:89
                      X509v3 Authority Key Identifier:
                          keyid:80:74:26:CE:27:3D:66:A3:83:1F:68:BA:2E:59:02:7D:B8:4E:95:42

                      X509v3 Subject Alternative Name:
                          email:root@testhost1

          Certificate Details:
                  Serial Number: 13642278243717938870 (0xbd531bc863d8feb6)
                  Validity
                      Not Before: Feb 12 14:08:07 2013 GMT
                      Not After : Feb 12 14:08:07 2014 GMT
                  Subject:
                      countryName               = CH
                      stateOrProvinceName       = ZH
                      organizationName          = OK2C
                      commonName                = testhost2
                  X509v3 extensions:
                      X509v3 Basic Constraints:
                          CA:FALSE
                      X509v3 Subject Key Identifier:
                          93:E5:04:83:86:6B:8E:D6:6F:61:A4:C1:F9:9D:EE:80:50:3A:89:43
                      X509v3 Authority Key Identifier:
                          keyid:80:74:26:CE:27:3D:66:A3:83:1F:68:BA:2E:59:02:7D:B8:4E:95:42

                      X509v3 Subject Alternative Name:
                          email:root@testhost2

          Certificate Details:
                  Serial Number: 13642278243717938871 (0xbd531bc863d8feb7)
                  Validity
                      Not Before: Feb 12 14:11:25 2013 GMT
                      Not After : Feb 12 14:11:25 2014 GMT
                  Subject:
                      countryName               = CH
                      stateOrProvinceName       = ZH
                      organizationName          = OK2C
                      commonName                = testhost3
                  X509v3 extensions:
                      X509v3 Basic Constraints:
                          CA:FALSE
                      X509v3 Subject Key Identifier:
                          2B:F3:01:94:AC:9A:0C:81:37:2C:7B:62:EC:0C:10:F8:99:17:20:56
                      X509v3 Authority Key Identifier:
                          keyid:80:74:26:CE:27:3D:66:A3:83:1F:68:BA:2E:59:02:7D:B8:4E:95:42

                      X509v3 Subject Alternative Name:
                          email:root@testhost3

          (5) Store testhost key material in PKCS12 format.

          (6) Generate a test user certificate to be used for client authentication with one of the test hosts.

          Certificate Details:
                  Serial Number: 13642278243717938872 (0xbd531bc863d8feb8)
                  Validity
                      Not Before: Feb 13 19:14:15 2013 GMT
                      Not After : Feb 13 19:14:15 2014 GMT
                  Subject:
                      countryName               = CH
                      stateOrProvinceName       = ZH
                      organizationName          = OK2C
                      commonName                = Test User
                  X509v3 extensions:
                      X509v3 Basic Constraints:
                          CA:FALSE
                      X509v3 Subject Key Identifier:
                          70:43:FD:C5:4B:AE:1A:C5:AC:41:3E:79:8B:71:3A:A3:BD:45:1B:D2
                      X509v3 Authority Key Identifier:
                          keyid:80:74:26:CE:27:3D:66:A3:83:1F:68:BA:2E:59:02:7D:B8:4E:95:42

                      X509v3 Subject Alternative Name:
                          email:testuser@testdomain

          (7) Store test user key material in format recognizable by curl by concatenating private key and key certificate

          ---
          cat testuser.key testuser.crt > testuser.curl
          ---

          (9) Generate JKS trust store containing Test Root CA certificate.

          (10) Configure Synapse to use multi-profile listener with three profiles.

          Configure 192.168.1.2 and 192.168.1.3 to not require client authentication. Configure 192.168.1.4 to trust Test Root CA only and to require client authentication.

          ---
              <transportReceiver name="multi-https" class="org.apache.synapse.transport.nhttp.HttpCoreNIOMultiSSLListener">
                  <parameter name="port">8343</parameter>
                  <parameter name="non-blocking">true</parameter>
                  <parameter name="SSLProfiles">
                      <profile>
                          <bindAddress>192.168.1.2</bindAddress>
                          <KeyStore>
                              <Location>/home/oleg/src/wso2.com/multiple-ssl-profiles/CA/testhost1.p12</Location>
                              <Type>PKCS12</Type>
                              <Password>test</Password>
                              <KeyPassword>test</KeyPassword>
                          </KeyStore>
                      </profile>
                      <profile>
                          <bindAddress>192.168.1.3</bindAddress>
                          <KeyStore>
                              <Location>/home/oleg/src/wso2.com/multiple-ssl-profiles/CA/testhost2.p12</Location>
                              <Type>PKCS12</Type>
                              <Password>test</Password>
                              <KeyPassword>test</KeyPassword>
                          </KeyStore>
                      </profile>
                      <profile>
                          <bindAddress>192.168.1.4</bindAddress>
                          <KeyStore>
                              <Location>/home/oleg/src/wso2.com/multiple-ssl-profiles/CA/testhost3.p12</Location>
                              <Type>PKCS12</Type>
                              <Password>test</Password>
                              <KeyPassword>test</KeyPassword>
                          </KeyStore>
                          <TrustStore>
                              <Location>/home/oleg/src/wso2.com/multiple-ssl-profiles/CA/testtrust.jks</Location>
                              <Type>JKS</Type>
                              <Password>nopassword</Password>
                          </TrustStore>
                          <SSLVerifyClient>require</SSLVerifyClient>
                      </profile>
                  </parameter>
              </transportReceiver>
          ---

          (11) Restart Synapse and make sure all SSL listener endpoints are properly configured and are active.

          You should see the following INFO messages in the execution log

          ---
          ...
          2013-02-14 11:24:08,794 [-] [main]  INFO ListenerContextBuilder MULTI-HTTPS Loading Identity Keystore from : /home/oleg/src/wso2.com/multiple-ssl-profiles/CA/testhost1.p12
          2013-02-14 11:24:08,947 [-] [main]  INFO ListenerContextBuilder MULTI-HTTPS Subject DN: CN=testhost1, O=OK2C, ST=ZH, C=CH
          2013-02-14 11:24:08,948 [-] [main]  INFO ListenerContextBuilder MULTI-HTTPS Issuer DN: CN=Test CA Root, O=OK2C, ST=ZH, C=CH
          2013-02-14 11:24:09,046 [-] [main]  INFO ListenerContextBuilder MULTI-HTTPS Loading Identity Keystore from : /home/oleg/src/wso2.com/multiple-ssl-profiles/CA/testhost2.p12
          2013-02-14 11:24:09,058 [-] [main]  INFO ListenerContextBuilder MULTI-HTTPS Subject DN: CN=testhost2, O=OK2C, ST=ZH, C=CH
          2013-02-14 11:24:09,059 [-] [main]  INFO ListenerContextBuilder MULTI-HTTPS Issuer DN: CN=Test CA Root, O=OK2C, ST=ZH, C=CH
          2013-02-14 11:24:09,063 [-] [main]  INFO ListenerContextBuilder MULTI-HTTPS Loading Identity Keystore from : /home/oleg/src/wso2.com/multiple-ssl-profiles/CA/testhost3.p12
          2013-02-14 11:24:09,083 [-] [main]  INFO ListenerContextBuilder MULTI-HTTPS Subject DN: CN=testhost3, O=OK2C, ST=ZH, C=CH
          2013-02-14 11:24:09,083 [-] [main]  INFO ListenerContextBuilder MULTI-HTTPS Issuer DN: CN=Test CA Root, O=OK2C, ST=ZH, C=CH
          2013-02-14 11:24:09,084 [-] [main]  INFO ListenerContextBuilder MULTI-HTTPS Loading Trust Keystore from : /home/oleg/src/wso2.com/multiple-ssl-profiles/CA/testtrust.jks
          ...
          2013-02-14 11:24:09,259 [-] [main]  INFO HttpCoreNIOListener MULTI-HTTPS Listener started on testhost1:8343
          2013-02-14 11:24:09,260 [-] [main]  INFO HttpCoreNIOListener MULTI-HTTPS Listener started on testhost2:8343
          2013-02-14 11:24:09,260 [-] [main]  INFO HttpCoreNIOListener MULTI-HTTPS Listener started on testhost3:8343
          ---

          (12) Prepare request message and store it in tmp.xml file.

          ---
          <?xml version='1.0' encoding='UTF-8'?>
            <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
              <soapenv:Header xmlns:wsa="http://www.w3.org/2005/08/addressing">
                <wsa:To>http://localhost:9000/services/SimpleStockQuoteService</wsa:To>
                <wsa:MessageID>urn:uuid:18796751-bd3a-4c96-966a-e463b2dfc179</wsa:MessageID>
                <wsa:Action>urn:getQuote</wsa:Action>
              </soapenv:Header>
              <soapenv:Body>
                <m0:getQuote xmlns:m0="http://services.samples"><m0:request><m0:symbol>IBM</m0:symbol></m0:request></m0:getQuote>
             </soapenv:Body>
           </soapenv:Envelope>
          ---

          (12) Execute a request against non-SSL listener using curl to make all components work correctly. Ensure the response content is correct.

          ---
          curl -X POST -H 'Content-Type: text/xml; charset=UTF-8' -H 'SOAPAction: "urn:getQuote"' -d @tmp.xml -v http://localhost:8280/
          ---

          (13) Execute a request against testhost1 SSL listener using curl without appropriate trust material.

          ---
          curl -X POST -H 'Content-Type: text/xml; charset=UTF-8' -H 'SOAPAction: "urn:getQuote"' -d @tmp.xml -v https://testhost1:8343/
          ---

          Make sure connection is rejected by the client due to failure to verify server identity.

          ---
          * About to connect() to testhost1 port 8343 (#0)
          *   Trying 192.168.1.2...
          * connected
          * Connected to testhost1 (192.168.1.2) port 8343 (#0)
          * successfully set certificate verify locations:
          *   CAfile: none
            CApath: /etc/ssl/certs
          * SSLv3, TLS handshake, Client hello (1):
          * SSLv3, TLS handshake, Server hello (2):
          * SSLv3, TLS handshake, CERT (11):
          * SSLv3, TLS alert, Server hello (2):
          * SSL certificate problem: unable to get local issuer certificate
          * Closing connection #0
          curl: (60) SSL certificate problem: unable to get local issuer certificate
          ---

          (14) Execute a request against testhost1 SSL listener using curl with appropriate trust material.

          ---
          curl -X POST -H 'Content-Type: text/xml; charset=UTF-8' -H 'SOAPAction: "urn:getQuote"' -d @tmp.xml --cacert CA/cacert.pem -v https://testhost1:8343/
          ---

          Make sure the server's identity is correctly established and verified.

          ---
          * About to connect() to testhost1 port 8343 (#0)
          *   Trying 192.168.1.2...
          * connected
          * Connected to testhost1 (192.168.1.2) port 8343 (#0)
          * successfully set certificate verify locations:
          *   CAfile: CA/cacert.pem
            CApath: /etc/ssl/certs
          * SSLv3, TLS handshake, Client hello (1):
          * SSLv3, TLS handshake, Server hello (2):
          * SSLv3, TLS handshake, CERT (11):
          * SSLv3, TLS handshake, Server key exchange (12):
          * SSLv3, TLS handshake, Server finished (14):
          * SSLv3, TLS handshake, Client key exchange (16):
          * SSLv3, TLS change cipher, Client hello (1):
          * SSLv3, TLS handshake, Finished (20):
          * SSLv3, TLS change cipher, Client hello (1):
          * SSLv3, TLS handshake, Finished (20):
          * SSL connection using ECDHE-RSA-DES-CBC3-SHA
          * Server certificate:
          *      subject: C=CH; ST=ZH; O=OK2C; CN=testhost1
          *      start date: 2013-02
          *      expire date: 2014-02
          *      common name: testhost1 (matched)
          *      issuer: C=CH; S
          *      SSL certificate verify ok.
          ---

          (15) Execute a request against testhost2 multi SSL listener using curl with appropriate trust material.

          ---
          curl -X POST -H 'Content-Type: text/xml; charset=UTF-8' -H 'SOAPAction: "urn:getQuote"' -d @tmp.xml --cacert CA/cacert.pem -v https://testhost2:8343
          ---

          Make sure the server's identity is correctly established and verified.

          ---
          * About to connect() to testhost2 port 8343 (#0)
          *   Trying 192.168.1.3...
          * connected
          * Connected to testhost2 (192.168.1.3) port 8343 (#0)
          * successfully set certificate verify locations:
          *   CAfile: CA/cacert.pem
            CApath: /etc/ssl/certs
          * SSLv3, TLS handshake, Client hello (1):
          * SSLv3, TLS handshake, Server hello (2):
          * SSLv3, TLS handshake, CERT (11):
          * SSLv3, TLS handshake, Server key exchange (12):
          * SSLv3, TLS handshake, Server finished (14):
          * SSLv3, TLS handshake, Client key exchange (16):
          * SSLv3, TLS change cipher, Client hello (1):
          * SSLv3, TLS handshake, Finished (20):
          * SSLv3, TLS change cipher, Client hello (1):
          * SSLv3, TLS handshake, Finished (20):
          * SSL connection using ECDHE-RSA-DES-CBC3-SHA
          * Server certificate:
          *      subject: C=CH; ST=ZH; O=OK2C; CN=testhost2
          *      start date: 2013-02
          *      expire date: 2014-02
          *      common name: testhost2 (matched)
          *      issuer: C=CH; S
          *      SSL certificate verify ok.
          ---

          (16) Execute a request against testhost3 multi SSL listener using curl with appropriate trust material.

          ---
          curl -X POST -H 'Content-Type: text/xml; charset=UTF-8' -H 'SOAPAction: "urn:getQuote"' -d @tmp.xml --cacert CA/cacert.pem -v https://testhost3:8343
          ---

          Make sure the connection is rejected by the server due to the client failure to authenticate.

          ---
          * About to connect() to testhost3 port 8343 (#0)
          *   Trying 192.168.1.4...
          * connected
          * Connected to testhost3 (192.168.1.4) port 8343 (#0)
          * successfully set certificate verify locations:
          *   CAfile: CA/cacert.pem
            CApath: /etc/ssl/certs
          * SSLv3, TLS handshake, Client hello (1):
          * SSLv3, TLS handshake, Server hello (2):
          * SSLv3, TLS handshake, CERT (11):
          * SSLv3, TLS handshake, Server key exchange (12):
          * SSLv3, TLS handshake, Request CERT (13):
          * SSLv3, TLS handshake, Server finished (14):
          * SSLv3, TLS handshake, CERT (11):
          * SSLv3, TLS handshake, Client key exchange (16):
          * SSLv3, TLS change cipher, Client hello (1):
          * SSLv3, TLS handshake, Finished (20):
          * Unknown SSL protocol error in connection to testhost3:8343
          * Closing connection #0
          ---

          (17) Execute a request against testhost3 multi SSL listener using curl with appropriate trust material and user private key.

          ---
          curl -X POST -H 'Content-Type: text/xml; charset=UTF-8' -H 'SOAPAction: "urn:getQuote"' -d @tmp.xml --cacert CA/cacert.pem --cert CA/testuser.curl:test -v https://testhost3:8343
          ---

          Make sure the server's identity is correctly established and verified.

          ---
          * About to connect() to testhost3 port 8343 (#0)
          *   Trying 192.168.1.4...
          * connected
          * Connected to testhost3 (192.168.1.4) port 8343 (#0)
          * successfully set certificate verify locations:
          *   CAfile: CA/cacert.pem
            CApath: /etc/ssl/certs
          * SSLv3, TLS handshake, Client hello (1):
          * SSLv3, TLS handshake, Server hello (2):
          * SSLv3, TLS handshake, CERT (11):
          * SSLv3, TLS handshake, Server key exchange (12):
          * SSLv3, TLS handshake, Request CERT (13):
          * SSLv3, TLS handshake, Server finished (14):
          * SSLv3, TLS handshake, CERT (11):
          * SSLv3, TLS handshake, Client key exchange (16):
          * SSLv3, TLS handshake, CERT verify (15):
          * SSLv3, TLS change cipher, Client hello (1):
          * SSLv3, TLS handshake, Finished (20):
          * SSLv3, TLS change cipher, Client hello (1):
          * SSLv3, TLS handshake, Finished (20):
          * SSL connection using ECDHE-RSA-DES-CBC3-SHA
          * Server certificate:
          *      subject: C=CH; ST=ZH; O=OK2C; CN=testhost3
          *      start date: 2013-02
          *      expire date: 2014-02
          *      common name: testhost3 (matched)
          *      issuer: C=CH; S
          *      SSL certificate verify ok.
          ---
          Required artifacts can be downloaded from HERE

          Thanks to the developer for sharing this information with me.

          WSO2 ESB 4.7 HTTP Endpoint

          WSO2 ESB 4.7 HTTP Endpoint

          SOAP client to REST back-end service using HTTP End point

          Step 1: Build "SimpleStockQuoteService" service and start "axis2Server"

          $ESB_HOME\samples\axis2Server\src\SimpleStockQuoteService>ant
          $ESB_HOME\samples\axis2Server>axis2server.sh (or .bat)

          Step 2: Create a HTTP endpoint ((say, HTTPEndPoint)

          <endpoint xmlns="http://ws.apache.org/ns/synapse" name="HTTPEndPoint">
             <http uri-template="https://localhost:9100/{uri.var.path}/{uri.var.name}" method="post">
                <suspendOnFailure>
                   <progressionFactor>1.0</progressionFactor>
                </suspendOnFailure>
                <markForSuspension>
                   <retriesBeforeSuspension>0</retriesBeforeSuspension>
                   <retryDelay>0</retryDelay>
                </markForSuspension>
             </http>
          </endpoint>

          Step 3: Create a pass through proxy with the endpoint defined above(Say TestProxy)

          <proxy xmlns="http://ws.apache.org/ns/synapse" name="TestProxy" transports="https,http" statistics="disable" trace="disable" startOnLoad="true">
             <target>
                <inSequence>
                   <property name="uri.var.path" value="services"/>
                   <property name="uri.var.name" value="SimpleStockQuoteService"/>
                   <send>
                      <endpoint key="HTTPEndPoint"/>
                   </send>
                </inSequence>
                <outSequence>
                   <send/>
                </outSequence>
             </target>
             <description></description>
          </proxy>

          Step 4: Place a client request from the AXIS2CLIENT folder ($ESB_HOME/samples/axis2Client)
          e.g. ant stockquote -Dsymbol=IBM -Dmode=quote -Daddurl=http://localhost:8280/services/TestProxy

          Note: TCPMon can be placed between Client & WSO2 ESB and WSO2 ESB & Back End Service to monitor the request and responses.

          This is for HTTP Method 'POST' only. If you want to configure for rest of the methods such as GET|DELETE|PUT, etc change the HTTP method as appropriate.

          <http uri-template="https://localhost:9100/{uri.var.path}/{uri.var.name}" method="get">

          Also this can be invoked and verified for https as well. However due to encription TCPMon cannot be use for monitoring. Tools such as Wireshark with Fidler might be helpful for HTTPS traffic analysing.

          HTTP GET

          <endpoint xmlns="http://ws.apache.org/ns/synapse" name="HttpEpGET">
             <http uri-template="http://localhost:9765/jaxrs_basic/services/customers/customerservice/customers/{uri.var.id}" method="get">
                <suspendOnFailure>
                   <progressionFactor>1.0</progressionFactor>
                </suspendOnFailure>
                <markForSuspension>
                   <retriesBeforeSuspension>0</retriesBeforeSuspension>
                   <retryDelay>0</retryDelay>
                </markForSuspension>
             </http>
          </endpoint>

          <proxy xmlns="http://ws.apache.org/ns/synapse" name="JAXRS" transports="https,http" statistics="disable" trace="disable" startOnLoad="true">
             <target>
                <inSequence>
                   <property name="messageType" value="application/xml" scope="axis2"/>
                   <property name="ContentType" value="application/xml" scope="axis2"/>
                   <property name="uri.var.id" expression="$body/Customer/id"/>
                   <log level="full"/>
                   <log level="custom">
                      <property name="ID" expression="get-property('uri.var.id')"/>
                      <property name="$body" expression="$body/Customer/id"/>
                   </log>
                   <send>
                      <endpoint key="HttpEpGET"/>
                   </send>
                </inSequence>
                <outSequence>
                   <send/>
                </outSequence>
             </target>
             <description></description>
          </proxy>


          HTTP DELETE

          The above endpoint method can be set to 'delete' to test the DELETE method.

          HTTP PUT

          <endpoint xmlns="http://ws.apache.org/ns/synapse" name="HttpEpPUT">
             <http uri-template="http://localhost:9765/jaxrs_basic/services/customers/customerservice/{uri.var.service}" method="put">
                <suspendOnFailure>
                   <progressionFactor>1.0</progressionFactor>
                </suspendOnFailure>
                <markForSuspension>
                   <retriesBeforeSuspension>0</retriesBeforeSuspension>
                   <retryDelay>0</retryDelay>
                </markForSuspension>
             </http>
          </endpoint>

          <proxy xmlns="http://ws.apache.org/ns/synapse" name="JAXRSPUT" transports="https,http" statistics="disable" trace="disable" startOnLoad="true">
             <target>
                <inSequence>
                   <property name="messageType" value="application/xml" scope="axis2"/>
                   <property name="ContentType" value="application/xml" scope="axis2"/>
                   <property name="uri.var.service" value="customers"/>
                   <log level="full"/>
                   <send>
                      <endpoint key="HttpEpPUT"/>
                   </send>
                </inSequence>
                <outSequence>
                   <send/>
                </outSequence>
             </target>
             <description></description>
          </proxy>

          HTTP POST

           The above endpoint method can be set to 'post' to test the POST method.


          References:
          1. http://docs.wso2.org/wiki/display/ESB470/Using+REST+with+a+Proxy+Service
          2. http://docs.wso2.org/wiki/display/AS501/JAX-RS+Basics