You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@synapse.apache.org by segal96 <ca...@gmail.com> on 2009/06/10 20:37:59 UTC
Synapse 2-way SSL w/ Client Certificates
Using the StockQuoteclient/server samples, I have setup Synapse for 2-way SSL
(Client cert) between the client and Synapse, and also between Synapse and
the backend web service. I've setup the truststores so that only trusted
web clients can connect with Synapse, and only Synapse can connect with the
backend web services.
I am relatively new to SOA/web services, and I wanted to know if from the
experts if this seems like a viable approach. I do understand the tradeoffs
between transport & message level security. Also, I have an existing PKI
available, so no worries with certificate management. Is there anything
else I need to consider with this design??? E.g. performance?
--
View this message in context: http://www.nabble.com/Synapse-2-way-SSL-w--Client-Certificates-tp23968440p23968440.html
Sent from the Synapse - Dev mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@synapse.apache.org
For additional commands, e-mail: dev-help@synapse.apache.org
Re: Synapse 2-way SSL w/ Client Certificates
Posted by Ruwan Linton <ru...@gmail.com>.
Hi,
>From my point of view this is OK, as far as you can restrict the access with
the certificates. Regarding the performance, as far as your client side (one
who talks to synapse) and the server side (one to whom synapse is supposed
to talk) supports HTTP/1.1 with KeepAlive, it is not going to be a big
issue, because the established connection between the client and synapse or
the synapse and the server will be reused so that the handshake overhead and
the rest of the SSL overhead will be there only for the connection
establishment request, because synapse nhttp transport is fully asynchronous
and supports KeepAlive for SSL.
Alternatively from the applications POV, it is better to have application
level security like WS-Security over the exposed web services based on the
policy, as you already understands.
Hope this helps...
Thanks,
Ruwan
On Thu, Jun 11, 2009 at 12:07 AM, segal96 <ca...@gmail.com> wrote:
>
> Using the StockQuoteclient/server samples, I have setup Synapse for 2-way
> SSL
> (Client cert) between the client and Synapse, and also between Synapse and
> the backend web service. I've setup the truststores so that only trusted
> web clients can connect with Synapse, and only Synapse can connect with the
> backend web services.
>
> I am relatively new to SOA/web services, and I wanted to know if from the
> experts if this seems like a viable approach. I do understand the
> tradeoffs
> between transport & message level security. Also, I have an existing PKI
> available, so no worries with certificate management. Is there anything
> else I need to consider with this design??? E.g. performance?
> --
> View this message in context:
> http://www.nabble.com/Synapse-2-way-SSL-w--Client-Certificates-tp23968440p23968440.html
> Sent from the Synapse - Dev mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@synapse.apache.org
> For additional commands, e-mail: dev-help@synapse.apache.org
>
>
--
Ruwan Linton
Senior Software Engineer & Product Manager; WSO2 ESB; http://wso2.org/esb
WSO2 Inc.; http://wso2.org
email: ruwan@wso2.com; cell: +94 77 341 3097
blog: http://ruwansblog.blogspot.com