Monday, December 1, 2014

Server to server communication in WSO2 Carbon based products

Normally for server to server communication we use basic auth as security mechanism(user name and password). But for this communication we can use mutual SSL like mechanism(if need). In this case we will use key store and key store password when we connect to other server. So with this we don't need to store password in text files and login server with user name and password. How ever we need to do code changes to accommodate this change. When we create service client we need to add mutual ssl headers to request. In this[4] article you will find more information about enabling mutual ssl for server to server communication. Other possible alternatives documented in this[5] document.

As these are internal servers (end user is not involved and credentials are passed in internal network), we do not need to change password all time. As we understood internal server to server communication will not expose to external users. External service calls(service calls coming from external users to system) can be secured with token with short life time(oauth). For this we can use API Manager with oauth protocol. And all internal server to server calls happens inside firewall.

Thrift is other common protocol that we can use for server to server communication. Regarding thrift service client implementation, you will find implementation details in following classes[1,2]. Also in this blog[3] post you will find more information about thrift service and client implementation.

[1]trunk/components/apimgt/org.wso2.carbon.apimgt.keymgt/src/main/java/org/wso2/carbon/apimgt/keymgt/service/thrift
[2]trunk/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/handlers/security/thrift
[3]http://srinathsview.blogspot.com/2011/09/writing-your-first-thrift-service.html
[4]http://java.dzone.com/articles/how-use-mutual-ssl-wso2
[5]http://soasecurity.org/2014/03/25/different-authentication-mechanism-for-wso2-carbon-management-console-and-admin-service-apis/

No comments:

Post a Comment