WSO2 ESB Send mediator with client certificate credentials

Question

We have a WCF service under IIS that is protected by Transport security (SSL) with client certificates (not the message WS-Security, but by IIS itself). I have added the certificate to wso2carbon.jks Whenever Send mediator is executed the request times out. IIS log shows only error 500.0. If in IIS configuration I set to ignore client certificates everything works fine. Also coded Java Axis2 and .Net clients work fine with turned on certificates on ISS.

Most probably I missed something in the call. Is WS-policy required for such case? I would appreciate any help.

Answer 1

Finally found a workaround.

Solution Enable SSLAlwaysNegoClientCert on IIS. Here is a good post: Make IIS require SSL client certificate during initial handshake

Reason: IIS by default will renegotiate SSL if client accesses protected resource. NIO and HttpPathThrough transports do not allow renegotiation (which kind of makes sense as it is security vulnerability). So IIS doesn't get Client Hello and issues error 500 (to WSO2 guys, why the TryIt client hangs till timeout then?)

Remark: not always can we make changes on IIS side so it'd be much better if transports available in WSO2 ESB would be more flexible as for allowing renegotiation (maybe I missed where to configure it...)

Answer 2

In this scenario, WSO2 ESB is acting as the client. Therefore, you need to import the certificate to the client-truststore.jks which is in repository/resources/security folder of WSO2 ESB. Then your service invocation should work.