Applies To

WSO2 ESB 4.0.0, WSO2 App Server 4.10 (All products based on WSO2 Carbon Platform 3.2.0 and upwards)

Introduction

WSO2 Carbon platform has a custom implementation of Crypto interface - namely "org.wso2.carbon.security.util.ServerCrypto". For each web service call that uses encryption and/or signature it would cause an instance of the ServerCrypto object to be created and underlying WSO2 Registry will be accessed. After enabling crypto caching, crypto objects will be created only once and stored in an in-memory cache. Crypto caching needs to be enabled per service basis through a parameter in rampart-config section of the policy. This step by step guide shows how to enable Crypto caching to make your security processing faster.

Steps

1. Host a web service in WSO2 App Server and enable security. Let's use security scenario 14 for this example.

2. Now go to service dashboard and click on policies. Then click on binding.

3. Add the "cryptoKey" and "cacheRefreshInterval" parameters into the signatureCrypto/encryptionCypto sections. Form more information on these two parameters please refer Rampart Configuration Guide 

 <rampart:RampartConfig xmlns:rampart="http://ws.apache.org/rampart/policy">
         <rampart:user>wso2carbon</rampart:user>
         <rampart:encryptionUser>useReqSigCert</rampart:encryptionUser>
         <rampart:timestampPrecisionInMilliseconds>true</rampart:timestampPrecisionInMilliseconds>
         <rampart:timestampTTL>300</rampart:timestampTTL>
         <rampart:timestampMaxSkew>300</rampart:timestampMaxSkew>
         <rampart:tokenStoreClass>org.wso2.carbon.security.util.SecurityTokenStore</rampart:tokenStoreClass>
         <rampart:nonceLifeTime>300</rampart:nonceLifeTime>
         <rampart:encryptionCrypto>
                 <rampart:crypto provider="org.wso2.carbon.security.util.ServerCrypto">
                         <rampart:property name="org.wso2.carbon.security.crypto.alias">wso2carbon</rampart:property>
                         <rampart:property name="org.wso2.carbon.security.crypto.privatestore">wso2carbon.jks</rampart:property>
                         <rampart:property name="org.wso2.stratos.tenant.id">0</rampart:property>
                         <rampart:property name="org.wso2.carbon.security.crypto.truststores">wso2carbon.jks,</rampart:property>
                         <rampart:property name="rampart.config.user">wso2carbon</rampart:property>
                 </rampart:crypto>
         </rampart:encryptionCrypto>
         <rampart:signatureCrypto>
                  <rampart:crypto provider="org.wso2.carbon.security.util.ServerCrypto">
                          <rampart:property name="org.wso2.carbon.security.crypto.alias">wso2carbon</rampart:property>
                          <rampart:property name="org.wso2.carbon.security.crypto.privatestore">wso2carbon.jks</rampart:property>
                          <rampart:property name="org.wso2.stratos.tenant.id">0</rampart:property>
                          <rampart:property name="org.wso2.carbon.security.crypto.truststores">wso2carbon.jks,</rampart:property>
                          <rampart:property name="rampart.config.user">wso2carbon</rampart:property>
                  </rampart:crypto>
          </rampart:signatureCrypto>
  </rampart:RampartConfig>

After enabling crypto caching, it is not required to query the registry for each request. So it won't affect the behaviour of the AppServer even though the back end database is not running. But from WSO2 Carbon platform 3.3.0 onwards it is proposed to enable crypto caching by default. Then you don't have to configure it explicitly

Author

Dimuthu Leelarathne, Technical Lead and Product Manager WSO2 Stratos