You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@camel.apache.org by RTernier <ry...@hotmail.com> on 2013/05/21 23:08:14 UTC
SSL : Server Certs and Client certificate passthrough
My camel app is running pretty well, however it's using our unsecured
webservice platform for development and PoC. I now need to change it so it
works with our server certificates (x509) and use client certificate
passthrough. We encrypt with the server cert. and use client certificates as
a lock/key pair to get access.
-Clients require the private key installed
-The Server camel is on (currently windows) requires the private key
installed.
-Client sends public key, Camel will accept it, and then re-attach/re-send
(find the key from a store) and pass that key onto the other end point.
I'm not sure how all this will play out though. My current dev environment
is on Windows, however this will be released onto a Linux box running
Apache.
Some of the routes I have in Camel/Spring are a reverse-proxy, and it
requires the certificate to be re-attached, where others are a bit more
complex - I'm hoping to figure out how to do the reverse-proxy part first.
Are there any documents or papers on how this will work with Camel? Or any
hints?
Cheers.
--
View this message in context: http://camel.465427.n5.nabble.com/SSL-Server-Certs-and-Client-certificate-passthrough-tp5732925.html
Sent from the Camel - Users mailing list archive at Nabble.com.
RE: SSL : Server Certs and Client certificate passthrough
Posted by Arty <ry...@hotmail.com>.
I guess what I'm trying to figure out is how to manually attach a SSL Cert to
an exchange, based on data within the message.
--
View this message in context: http://camel.465427.n5.nabble.com/SSL-Server-Certs-and-Client-certificate-passthrough-tp5732925p5733366.html
Sent from the Camel - Users mailing list archive at Nabble.com.
RE: SSL : Server Certs and Client certificate passthrough
Posted by RTernier <ry...@hotmail.com>.
There might be some lingo confusion - I've been a .NET guy for 13 years who
was thrown into a Java/Apache world where I have 0 experience.
When a client accesses our web services, they are accessed over TCP port 443
- where SSL is required.
The servers have their own SSL (x509) certificate for encryption, however
they also force client certificates - not for encryption but for
authentication.
For example:
If I see that a person is sending in a message with the following
certificate "XXXX_HD1", I will want to pull up a certificate from the store
that corresponds to that certificate and pass that along when I forward the
message to another web service. I also might want to use a different
certificate if I need to forward it to another service.
This is the current architecture for this government agency, and it's not
going to change.
--
View this message in context: http://camel.465427.n5.nabble.com/SSL-Server-Certs-and-Client-certificate-passthrough-tp5732925p5733275.html
Sent from the Camel - Users mailing list archive at Nabble.com.
RE: SSL : Server Certs and Client certificate passthrough
Posted by "Siano, Stephan" <st...@sap.com>.
Hi,
You probably don't want to attach the client certificate, but you do want to do a certificate based client authentication. You can achieve this by defining a HTTP conduit (see http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html for details).
Best regards
Stephan
-----Original Message-----
From: RTernier [mailto:ryan_ternier@hotmail.com]
Sent: Samstag, 25. Mai 2013 00:50
To: users@camel.apache.org
Subject: RE: SSL : Server Certs and Client certificate passthrough
Hmm, I got the jist of it, but how would one add a SSL Certificate (client)
to an Exchange?
Let's say I'm going to https://mysite.com/foo The server I'm sending from
already has the server certificate, which is easy to do, but if I wanted to
attach a x509 certificate as a client cert, how would I do that?
--
View this message in context: http://camel.465427.n5.nabble.com/SSL-Server-Certs-and-Client-certificate-passthrough-tp5732925p5733138.html
Sent from the Camel - Users mailing list archive at Nabble.com.
RE: SSL : Server Certs and Client certificate passthrough
Posted by RTernier <ry...@hotmail.com>.
Hmm, I got the jist of it, but how would one add a SSL Certificate (client)
to an Exchange?
Let's say I'm going to https://mysite.com/foo The server I'm sending from
already has the server certificate, which is easy to do, but if I wanted to
attach a x509 certificate as a client cert, how would I do that?
--
View this message in context: http://camel.465427.n5.nabble.com/SSL-Server-Certs-and-Client-certificate-passthrough-tp5732925p5733138.html
Sent from the Camel - Users mailing list archive at Nabble.com.
RE: SSL : Server Certs and Client certificate passthrough
Posted by "Siano, Stephan" <st...@sap.com>.
Hi,
Ok, so you actually do not really want to forward an SSL handshake or the certificate, but you want to select the client certificate you use for authentication based on the authenticated user of the request. I actually haven't done that (only selected the certificate used for client authentication based on a route). If you use Camel-CXF for the web service you might come up with some tricky implementation of the SSL KeyManager os the SSLSocketFactory used in the HTTP Conduit of CXF to achieve this, but I actually never tried dynamic authentication. CXF will also try to cache SSL sessions (there is also a parameter for that).
Best regards
Stephan
-----Original Message-----
From: RTernier [mailto:ryan_ternier@hotmail.com]
Sent: Mittwoch, 22. Mai 2013 18:09
To: users@camel.apache.org
Subject: RE: SSL : Server Certs and Client certificate passthrough
Thanks for the responses guys.
Willem - you're 2nd point is actually how we do it.
Our reverse proxy is connecting to our own back end in a more secure zone.
Effectively what I need:
*Client sends the message*
Client sends a SOAP message to our Camel-Reverse Proxy. The connection will
terminate. This message is encrypted with a SSL Server Certificate from our
certificate authority, and it also comes with a client certificate which
gives them access to our server.
*Reverse Proxy (Camel Implementation)*
Camel will receive the message from the client, look at the client
certificate that was attached and then re-attach the same one from it's own
store, or another one based on a mapping. This is a generic reverse proxy.
This is an allowed and valid secure architecture - and we own our own
certificate authority which governs multiple certificates - our clients use
our certificates when they connect to us. The clients never create their own
certificates - we issue them to them.
For an example:
client will send a SOAP message to /
http://myserver.gov.ca/RP01/MCCI_001001001/ where camel is listening.
Camel will take the message, do some work on it, and re-route it to:
/http://mybroker.gov.ca/BR01/MCCI_001001001/
The server Camel is on will have access to our certificate authority.
I'm just not sure how to wire it all up. I'm developing this on a windows
box, which is probably an issue as I'm not sure if windows boxes can use the
same key store a linux box can with java.
--
View this message in context: http://camel.465427.n5.nabble.com/SSL-Server-Certs-and-Client-certificate-passthrough-tp5732925p5732972.html
Sent from the Camel - Users mailing list archive at Nabble.com.
RE: SSL : Server Certs and Client certificate passthrough
Posted by RTernier <ry...@hotmail.com>.
Effectively we`re doing our own Man in the Middle attack - but it`s allowed
due to firewall restrictions we have within our zone. This model will be
changing in the future, but for now it`s required.
--
View this message in context: http://camel.465427.n5.nabble.com/SSL-Server-Certs-and-Client-certificate-passthrough-tp5732925p5732973.html
Sent from the Camel - Users mailing list archive at Nabble.com.
RE: SSL : Server Certs and Client certificate passthrough
Posted by RTernier <ry...@hotmail.com>.
Thanks for the responses guys.
Willem - you're 2nd point is actually how we do it.
Our reverse proxy is connecting to our own back end in a more secure zone.
Effectively what I need:
*Client sends the message*
Client sends a SOAP message to our Camel-Reverse Proxy. The connection will
terminate. This message is encrypted with a SSL Server Certificate from our
certificate authority, and it also comes with a client certificate which
gives them access to our server.
*Reverse Proxy (Camel Implementation)*
Camel will receive the message from the client, look at the client
certificate that was attached and then re-attach the same one from it's own
store, or another one based on a mapping. This is a generic reverse proxy.
This is an allowed and valid secure architecture - and we own our own
certificate authority which governs multiple certificates - our clients use
our certificates when they connect to us. The clients never create their own
certificates - we issue them to them.
For an example:
client will send a SOAP message to /
http://myserver.gov.ca/RP01/MCCI_001001001/ where camel is listening.
Camel will take the message, do some work on it, and re-route it to:
/http://mybroker.gov.ca/BR01/MCCI_001001001/
The server Camel is on will have access to our certificate authority.
I'm just not sure how to wire it all up. I'm developing this on a windows
box, which is probably an issue as I'm not sure if windows boxes can use the
same key store a linux box can with java.
--
View this message in context: http://camel.465427.n5.nabble.com/SSL-Server-Certs-and-Client-certificate-passthrough-tp5732925p5732972.html
Sent from the Camel - Users mailing list archive at Nabble.com.
RE: SSL : Server Certs and Client certificate passthrough
Posted by "Siano, Stephan" <st...@sap.com>.
Hi,
I actually don't think that this can work at all. With SSL/TLS client certificate authentication the authentication is performed during the SSL handshake on socket level. The whole communication is encrypted and only the two communication partners will be able to decrypt it. If there are three parties involved there are actually two ways to do this:
1. The middle party is only acting as a proxy. In this case encryption is between the other two communication partners and the middle part has no way to read or change the data at all (just forward it). That's what is happening if you use a HTTP proxy for HTTPS. You might be able to use some mina stuff on socket level for the reverse proxy thing, however I don't really think that camel is the best solution for a reverse proxy on socket level.
2. The middle party is terminating the TLS connections. In this case two TLS handshakes take place, one between the client and the camel system, and one between the camel system and the server. TLS based authentication of the client will be possible between the client and the camel system, but not between the camel system and the server. You might be able to get the client certificate within the Camel route, but you will not be able to authenticate to the server with it, because that would also require the secret key of the client on the camel system (where it is not supposed to be).
There are other methods to do an authentication of a web service via a proxy like WS-Security, however these methods are not based on HTTPS and would require changes in the web service itself.
Best regards
Stephan Siano
-----Original Message-----
From: Willem jiang [mailto:willem.jiang@gmail.com]
Sent: Mittwoch, 22. Mai 2013 04:13
To: users@camel.apache.org
Subject: Re: SSL : Server Certs and Client certificate passthrough
Yeah, it is very complex, I don't think current camel-cxf can support it out of box.
Can I know more detail about the web service that you proxy with Camel?
Why do you need to pass the clients request with re-attached key to the back service?
Can you just pass the client id of something and let camel route use the fixed private key to send the request to back service?
--
Willem Jiang
Red Hat, Inc.
FuseSource is now part of Red Hat
Web: http://www.fusesource.com | http://www.redhat.com
Blog: http://willemjiang.blogspot.com (http://willemjiang.blogspot.com/) (English)
http://jnn.iteye.com (http://jnn.javaeye.com/) (Chinese)
Twitter: willemjiang
Weibo: 姜宁willem
On Wednesday, May 22, 2013 at 5:08 AM, RTernier wrote:
> My camel app is running pretty well, however it's using our unsecured
> webservice platform for development and PoC. I now need to change it so it
> works with our server certificates (x509) and use client certificate
> passthrough. We encrypt with the server cert. and use client certificates as
> a lock/key pair to get access.
>
> -Clients require the private key installed
> -The Server camel is on (currently windows) requires the private key
> installed.
> -Client sends public key, Camel will accept it, and then re-attach/re-send
> (find the key from a store) and pass that key onto the other end point.
>
> I'm not sure how all this will play out though. My current dev environment
> is on Windows, however this will be released onto a Linux box running
> Apache.
>
> Some of the routes I have in Camel/Spring are a reverse-proxy, and it
> requires the certificate to be re-attached, where others are a bit more
> complex - I'm hoping to figure out how to do the reverse-proxy part first.
>
> Are there any documents or papers on how this will work with Camel? Or any
> hints?
>
> Cheers.
>
>
>
>
>
> --
> View this message in context: http://camel.465427.n5.nabble.com/SSL-Server-Certs-and-Client-certificate-passthrough-tp5732925.html
> Sent from the Camel - Users mailing list archive at Nabble.com (http://Nabble.com).
Re: SSL : Server Certs and Client certificate passthrough
Posted by Willem jiang <wi...@gmail.com>.
Yeah, it is very complex, I don't think current camel-cxf can support it out of box.
Can I know more detail about the web service that you proxy with Camel?
Why do you need to pass the clients request with re-attached key to the back service?
Can you just pass the client id of something and let camel route use the fixed private key to send the request to back service?
--
Willem Jiang
Red Hat, Inc.
FuseSource is now part of Red Hat
Web: http://www.fusesource.com | http://www.redhat.com
Blog: http://willemjiang.blogspot.com (http://willemjiang.blogspot.com/) (English)
http://jnn.iteye.com (http://jnn.javaeye.com/) (Chinese)
Twitter: willemjiang
Weibo: 姜宁willem
On Wednesday, May 22, 2013 at 5:08 AM, RTernier wrote:
> My camel app is running pretty well, however it's using our unsecured
> webservice platform for development and PoC. I now need to change it so it
> works with our server certificates (x509) and use client certificate
> passthrough. We encrypt with the server cert. and use client certificates as
> a lock/key pair to get access.
>
> -Clients require the private key installed
> -The Server camel is on (currently windows) requires the private key
> installed.
> -Client sends public key, Camel will accept it, and then re-attach/re-send
> (find the key from a store) and pass that key onto the other end point.
>
> I'm not sure how all this will play out though. My current dev environment
> is on Windows, however this will be released onto a Linux box running
> Apache.
>
> Some of the routes I have in Camel/Spring are a reverse-proxy, and it
> requires the certificate to be re-attached, where others are a bit more
> complex - I'm hoping to figure out how to do the reverse-proxy part first.
>
> Are there any documents or papers on how this will work with Camel? Or any
> hints?
>
> Cheers.
>
>
>
>
>
> --
> View this message in context: http://camel.465427.n5.nabble.com/SSL-Server-Certs-and-Client-certificate-passthrough-tp5732925.html
> Sent from the Camel - Users mailing list archive at Nabble.com (http://Nabble.com).