Multi-HTTPS Transport¶
You can enable dynamic SSL profiles for the Micro Integrator by updating the deployment.toml file with the required SSL
profile configurations. Also, you can dynamically load the SSL profiles at
runtime using a periodic schedule or JMX invocation. That is, instead of reloading the entire deployment.toml at runtime, you can
reload the new configuration files that contain only the custom profile
information for the sender and receiver.
Enabling dynamic SSL profiles¶
The following configuration changes should be done in the Multi-HTTPS transport receiver and sender.
Dynamic SSL profiles for the Multi-HTTPS transport sender:
-
Open the
deployment.tomlfile (stored in theMI_HOME/confdirectory) and add the following parameters.[transport.http] sender.ssl_profile.file_path = "conf/sslprofiles/senderprofiles.xml" sender.ssl_profile.read_interval = 600000 -
Create the
senderprofiles.xmlfile with the following configuration in theMI_HOME/conf/sslprofilesdirectory:Info
You can configure the file path for the
senderprofiles.xmlfile as required.<parameter xmlns:svns="http://org.wso2.securevault/configuration" name="customSSLProfiles"> <profile> <servers>localhost:8244,hostname:8245</servers> <KeyStore> <Location>repository/resources/security/esb.jks</Location> <Type>JKS</Type> <Password>123456</Password> <KeyPassword>123456</KeyPassword> </KeyStore> <TrustStore> <Location>repository/resources/security/esbtruststore.jks</Location> <Type>JKS</Type> <Password>123456</Password> </TrustStore> </profile> </parameter>Note that the
xmlns:svns="http://org.wso2.securevault/configurationnamespace has to be added before the parameter name.The SSL profile will be applied to each request that is sent to the destination server specified within the
<servers>element as IP:Port combination.Note
Use host names in the
<servers>list instead of IP addresses to avoid latencies due to DNS lookup. If you are using IP address, make sure to add an entry to the host file with respective host name mapping.
Dynamic SSL profiles for the Multi-HTTPS transport listener:
To dynamically load the SSL profiles at runtime for the Multi-HTTPS transport listener, you can configure
org.apache.synapse.transport.passthru.PassThroughHttpMultiSSLListener (which is the existing implementation of the
Multi-HTTPS transport receiver) as a custom transport receiver.
-
Open the
deployment.tomlfile (stored in theMI_HOME/confdirectory) and add the following parameter to disable the default HTTPS transport receiver.
2. Add the following parameters to configure[transport.http] listener.secured_enable = falseorg.apache.synapse.transport.passthru.PassThroughHttpMultiSSLListeneras a custom transport receiver.```toml [[custom_transport.listener]] class="org.apache.synapse.transport.passthru.PassThroughHttpMultiSSLListener" protocol = "https" parameter.port = 8243 parameter.non_blocking = true
keystore.location = "repository/resources/security/wso2carbon.jks" keystore.type = "JKS" keystore.password = "wso2carbon" keystore.key_password = "wso2carbon" truststore.location = "repository/resources/security/client-truststore.jks" truststore.type = "JKS" truststore.password = "wso2carbon"
ssl_profile.file_path= "conf/sslprofiles/listenerprofiles.xml" ssl_profile.read_interval = 600000 ```
-
Create the
listenerprofiles.xmlfile in theMI_HOME/conf/sslprofilesdirectory and add the following configurations:Info
You can configure the file path for the
listenerprofiles.xmlfile as required.<parameter xmlns:svns="http://org.wso2.securevault/configuration" name="SSLProfiles"> <profile> <bindAddress>hostname</bindAddress> <KeyStore> <Location>repository/resources/security/esb.jks</Location> <Type>JKS</Type> <Password>123456</Password> <KeyPassword>123456</KeyPassword> </KeyStore> <TrustStore> <Location>repository/resources/security/esbtruststore.jks</Location> <Type>JKS</Type> <Password>123456</Password> </TrustStore> <SSLVerifyClient>require</SSLVerifyClient> </profile> </parameter>Note that the
xmlns:svns="http://org.wso2.securevault/configurationnamespace has to be added before the parameter name.The SSL profile will be applied to each request that is received at the IP specified within the
<bindAddress>element.Note
It is recommended to configure the hostname as the server when configuring custom SSL profiles. If an IP address is required to be configured as the server, the IP address needs to be mapped to a hostname in the Host file, and the hostname can be provided as the server.
Loading SSL profiles at runtime¶
You can either use a periodic schedule or a JMX invocation to apply custom profiles at runtime. The following section describes the two options in detail:
-
Periodic schedule: If you use this option, the Micro Integrator will automatically check updates of the file content and apply the custom profiles based on the value specified in the
fileReadIntervalparameter. For example, if you have set thefileReadIntervalas 1 hour, The Micro Integrator will automatically check updates of the file content and apply the custom profile every 1 hour. -
JMX Invocation: If you use this option, custom profiles will be applied dynamically by invoking the
notifyFileUpdatemethod in the respective sender/listener MBean under theListenerSSLProfileReloaderorSenderSSLProfileReloadergroup in JConsole.
The following table provides information on the parameters that you can set when you enable dynamic SSL profiles:
| Parameter Name | Description | Default Value |
|---|---|---|
filePath |
The relative/absolute file path of the custom SSL profile configuration XML file. | - |
fileReadInterval |
The time interval (in milliseconds) in which configuration updates will be loaded and applied at runtime. This value should be greater than 1 minute. | 3600000 |