Crypto Caching for Web Services hosted in WSO2 Carbon Platform
- Dimuthu Leelarathne
- Architect - WSO2
Applies To
WSO2 ESB 4.0.0, WSO2 App Server 4.10 (All products based on WSO2 Carbon Platform 3.2.0 and upwards)
Introduction
WSO2 Carbon platform has a custom implementation of Crypto interface - namely "org.wso2.carbon.security.util.ServerCrypto". For each web service call that uses encryption and/or signature it would cause an instance of the ServerCrypto object to be created and underlying WSO2 Registry will be accessed. After enabling crypto caching, crypto objects will be created only once and stored in an in-memory cache. Crypto caching needs to be enabled per service basis through a parameter in rampart-config section of the policy. This step by step guide shows how to enable Crypto caching to make your security processing faster.
Steps
1. Host a web service in WSO2 App Server and enable security. Let's use security scenario 14 for this example.
2. Now go to service dashboard and click on policies. Then click on binding.
3. Add the "cryptoKey" and "cacheRefreshInterval" parameters into the signatureCrypto/encryptionCypto sections. Form more information on these two parameters please refer Rampart Configuration Guide
<rampart:RampartConfig xmlns:rampart="http://ws.apache.org/rampart/policy">
<rampart:user>wso2carbon</rampart:user>
<rampart:encryptionUser>useReqSigCert</rampart:encryptionUser>
<rampart:timestampPrecisionInMilliseconds>true</rampart:timestampPrecisionInMilliseconds>
<rampart:timestampTTL>300</rampart:timestampTTL>
<rampart:timestampMaxSkew>300</rampart:timestampMaxSkew>
<rampart:tokenStoreClass>org.wso2.carbon.security.util.SecurityTokenStore</rampart:tokenStoreClass>
<rampart:nonceLifeTime>300</rampart:nonceLifeTime>
<rampart:encryptionCrypto>
<rampart:crypto provider="org.wso2.carbon.security.util.ServerCrypto">
<rampart:property name="org.wso2.carbon.security.crypto.alias">wso2carbon</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.privatestore">wso2carbon.jks</rampart:property>
<rampart:property name="org.wso2.stratos.tenant.id">0</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.truststores">wso2carbon.jks,</rampart:property>
<rampart:property name="rampart.config.user">wso2carbon</rampart:property>
</rampart:crypto>
</rampart:encryptionCrypto>
<rampart:signatureCrypto>
<rampart:crypto provider="org.wso2.carbon.security.util.ServerCrypto">
<rampart:property name="org.wso2.carbon.security.crypto.alias">wso2carbon</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.privatestore">wso2carbon.jks</rampart:property>
<rampart:property name="org.wso2.stratos.tenant.id">0</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.truststores">wso2carbon.jks,</rampart:property>
<rampart:property name="rampart.config.user">wso2carbon</rampart:property>
</rampart:crypto>
</rampart:signatureCrypto>
</rampart:RampartConfig>
Author
Dimuthu Leelarathne, Technical Lead and Product Manager WSO2 Stratos