synapse-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ruwan Linton <ruwan.lin...@gmail.com>
Subject Re: Supporting Multiple SSL Configurations at Sender
Date Tue, 21 Jul 2009 02:08:12 GMT
On Tue, Jul 21, 2009 at 6:48 AM, Andreas Veithen
<andreas.veithen@gmail.com>wrote:

> Ruwan,
>
> Where does the requirement of using different stores come from?


Well, if not through different stores, how can we let the KeyManager know
what cert to use for this particular endpoint? This is the requirement that
we are trying to address.

http://wso2.org/forum/thread/3928

Do you know any other means of letting the KeyManger know what identity cert
that it has to use for this particular endpoint, basically how do you
provide the mapping of the endpoint to the identity cert.

Thanks,
Ruwan


>
>
> Andreas
>
> On Tue, Jul 21, 2009 at 03:15, Ruwan Linton<ruwan.linton@gmail.com> wrote:
> >
> >
> > On Tue, Jul 21, 2009 at 6:23 AM, Andreas Veithen <
> andreas.veithen@gmail.com>
> > wrote:
> >>
> >> On Tue, Jul 21, 2009 at 02:05, Ruwan Linton<ruwan.linton@gmail.com>
> wrote:
> >> >
> >> >
> >> > On Mon, Jul 20, 2009 at 10:19 PM, indika kumara <
> indika.kuma@gmail.com>
> >> > wrote:
> >> >>
> >> >> I am agree with asankha ,
> >> >>
> >> >> Requirement is to enable to represent multiple identities by synapse
> >> >> itself and also call to  external services whose  identities are
> >> >> different.
> >> >> For first requirement it may need to expose identities at proxy
> >> >> services
> >> >> level. For second requirement, it may need ability to specify and use
> >> >> multiple client certificates at endpoint level when calling different
> >> >> external services.
> >> >>
> >> >> Giving Multiple SSLContexts is the scalable solution. Specially, for
> >> >> the
> >> >> requirement one, using reactor will not be scalable.  Even for second
> >> >> requirement.
> >> >>
> >> >> But, it seems in the current IOreactor implementation it is only
> >> >> possible
> >> >> to be given one SSLContext (with IOEventDispatch).
> >> >>
> >> >> Seems like we need a new IOEventDispatch implementation that take Map
> >> >> of
> >> >> SSLContexts (or composite IOEventDispatch) and then within method,
> >> >>
> >> >> public void connected (final IOSession session)
> >> >>
> >> >> Based on information on IOSession session, pick the correct
> SSLContext.
> >> >> I am not sure possibility of this, but Asankha or Oleg sure knows
> this.
> >> >
> >> > Asankha, Indika is correct on the above comment I guess... IOReactor
> has
> >> > one-to-one relation ship with the SSLContext, I think that is why
> >> > Hiranya
> >> > wanted multiple IOReactors to support this.
> >> >
> >> > Is there a mechanism where you can provide multiple SSLContexts to the
> >> > IOEventDispatcher?? I suggest we get the patch from Hiranya and
> improve
> >> > it
> >> > to support this scenario, since he has some working code already.
> WDYT?
> >> >
> >> > Thanks,
> >> > Ruwan
> >> >
> >>
> >> I don't think that you even need multiple SSLContexts. Choosing the
> >> client certificate is the responsibility of X509(Extended)KeyManager.
> >> Probably the requirement is already supported out-of-the-box by the
> >> default key manager implementation. If not, the option is to implement
> >> a custom version.
> >
> > If you need to provide the different certs through different stores
> > (different JKS files), I don't think the key manager can handle that,
> > because there is no way that the key manager can find different key
> stores
> > without the user (nhttp transport) feeding it the key store.
> >
> > Am I missing anything?
> >
> > Thanks,
> > Ruwan
> >
> >>
> >> >>
> >> >> Thanks
> >> >> Indika
> >> >>
> >> >>
> >> >> >
> >> >> > I guess the real use case is the ability to use multiple identity
> >> >> > certificates when communicating out. A usual use case is that
one
> >> >> > organization would need to use an identity certificate A when
> talking
> >> >> > to
> >> >> > an
> >> >> > endpoint of Company A, and another identity certificate B when
> >> >> > talking
> >> >> > to an
> >> >> > endpoint of Company B etc, when using 2-way SSL. This does not
> >> >> > necessarily
> >> >> > require the support for multiple keystores, unless I have missed
> >> >> > something.
> >> >> >
> >> >> > I have not yet looked into details.. but I do not directly see
the
> >> >> > need
> >> >> > for
> >> >> > multiple IO reactors to support this.. but just multiple
> SSLContexts.
> >> >> >
> >> >> > cheers
> >> >> > asankha
> >> >> >
> >> >> > --
> >> >> > Asankha C. Perera
> >> >> > AdroitLogic, http://adroitlogic.org
> >> >> >
> >> >> > http://esbmagic.blogspot.com
> >> >> >
> >> >> >
> >> >> >
> >> >> >
> >> >>
> >> >
> >> >
> >> >
> >> > --
> >> > Ruwan Linton
> >> > Technical Lead & Product Manager; WSO2 ESB; http://wso2.org/esb
> >> > WSO2 Inc.; http://wso2.org
> >> > email: ruwan@wso2.com; cell: +94 77 341 3097
> >> > blog: http://ruwansblog.blogspot.com
> >> >
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: dev-unsubscribe@synapse.apache.org
> >> For additional commands, e-mail: dev-help@synapse.apache.org
> >>
> >
> >
> >
> > --
> > Ruwan Linton
> > Technical Lead & Product Manager; WSO2 ESB; http://wso2.org/esb
> > WSO2 Inc.; http://wso2.org
> > email: ruwan@wso2.com; cell: +94 77 341 3097
> > blog: http://ruwansblog.blogspot.com
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@synapse.apache.org
> For additional commands, e-mail: dev-help@synapse.apache.org
>
>


-- 
Ruwan Linton
Technical Lead & Product Manager; WSO2 ESB; http://wso2.org/esb
WSO2 Inc.; http://wso2.org
email: ruwan@wso2.com; cell: +94 77 341 3097
blog: http://ruwansblog.blogspot.com

Mime
View raw message