WSO2 ESB Secured Proxy Endpoint - security

I use the ESB with many different proxies.
One of them is sending the messages to other proxy endpoints. All the proxies are in the ESB.
At the moment those Endpoint Proxies are not secured. I like to use scenario1 as security for them.
But how can I send the message to those Endpoints. That means: How can I add a security header with username and password in my proxy configuration so that I can authenticate may be with user "admin" and password "admin"?

As I understand, you need to secure the proxy and forward it to an unsecured back-end service.
For this, you can try following steps from the WSO2 ESB Management Console. I tried this from WSO2 ESB 4.7.0
Add a pass through proxy service.
View the proxy from Service Dashboard.
Click on "Security" for the service.
Select "Yes" for "Enable Security?"
Select "UsernameToken" and click Next. The Scenario 1 as you mentioned. This will be using WS-Security standard with Username Token.
You can select "admin" group here and click on "Finish"
Now the security will be enabled for your service.
The proxy service now needs authentication and you can use "admin" user now. (Or any user you have added).
If you are using a Java client, it might be easier to use Axis2 with Rampart module engaged. There are many examples of this.
See following links.
http://blog.facilelogin.com/2008/11/security-policy-with-rampart.html (This has a simple client)
http://blog.thilinamb.com/2009/08/securing-web-service-with-username.html
I tested this using SoapUI. You can pass username and password from request properties.
Your request will be similar to following.
Wed Aug 21 01:15:32 IST 2013:DEBUG:>> "POST /services/SimpleStockQuoteService.SimpleStockQuoteServiceHttpsSoap12Endpoint HTTP/1.1[\r][\n]"
Wed Aug 21 01:15:32 IST 2013:DEBUG:>> "Accept-Encoding: gzip,deflate[\r][\n]"
Wed Aug 21 01:15:32 IST 2013:DEBUG:>> "Content-Type: application/soap+xml;charset=UTF-8;action="urn:getQuote"[\r][\n]"
Wed Aug 21 01:15:32 IST 2013:DEBUG:>> "Content-Length: 1195[\r][\n]"
Wed Aug 21 01:15:32 IST 2013:DEBUG:>> "Host: isurup-ThinkPad-T530:8243[\r][\n]"
Wed Aug 21 01:15:32 IST 2013:DEBUG:>> "Connection: Keep-Alive[\r][\n]"
Wed Aug 21 01:15:32 IST 2013:DEBUG:>> "User-Agent: Apache-HttpClient/4.1.1 (java 1.5)[\r][\n]"
Wed Aug 21 01:15:32 IST 2013:DEBUG:>> "[\r][\n]"
Wed Aug 21 01:15:32 IST 2013:DEBUG:>> "<soap:Envelope xmlns:ser="http://services.samples" xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:xsd="http://services.samples/xsd">[\n]"
Wed Aug 21 01:15:32 IST 2013:DEBUG:>> " <soap:Header><wsse:Security soap:mustUnderstand="true" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wsu:Timestamp wsu:Id="TS-63"><wsu:Created>2013-08-20T19:45:32Z</wsu:Created><wsu:Expires>2013-08-20T21:08:52Z</wsu:Expires></wsu:Timestamp><wsse:UsernameToken wsu:Id="UsernameToken-62"><wsse:Username>admin</wsse:Username><wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">admin</wsse:Password><wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">WG8iV7vik8QqZkzlaIabWg==</wsse:Nonce><wsu:Created>2013-08-20T19:45:32.861Z</wsu:Created></wsse:UsernameToken></wsse:Security></soap:Header>[\n]"
Wed Aug 21 01:15:32 IST 2013:DEBUG:>> " <soap:Body>[\n]"
Wed Aug 21 01:15:32 IST 2013:DEBUG:>> " <ser:getQuote>[\n]"
Wed Aug 21 01:15:32 IST 2013:DEBUG:>> " <ser:request>[\n]"
Wed Aug 21 01:15:32 IST 2013:DEBUG:>> " <xsd:symbol>WSO2</xsd:symbol>[\n]"
Wed Aug 21 01:15:32 IST 2013:DEBUG:>> " </ser:request>[\n]"
Wed Aug 21 01:15:32 IST 2013:DEBUG:>> " </ser:getQuote>[\n]"
Wed Aug 21 01:15:32 IST 2013:DEBUG:>> " </soap:Body>[\n]"
Wed Aug 21 01:15:32 IST 2013:DEBUG:>> "</soap:Envelope>"
Update
If the back-end service is also secured, you can refer following blog post.
http://soasecurity.org/2012/11/05/how-to-invoke-secured-backend-service-using-wso2-esb/

In the calling proxy service you can configure a property as follows,
<property name="Authorization"
expression="fn:concat('Basic ', base64Encode('admin:admin'))"
scope="transport"
type="STRING"/>
With this, the basicAuth header will be set, in the request to the called proxy service.
Hope this helps.

You can simply use curl to invoke the secured proxy service like below.
curl -k --basic -u admin:admin https://localhost:8243/services/PoxSecurityProxy.POXSecurityProxyHttpsSoap11Endpoint/echoString?in=Chanaka

In your scenario, you need to invoke a secured backend ( another proxy service) using a proxy service. To do this you will need to write security policies. Refer [1] blog post.
[1] http://soasecurity.org/2012/11/05/how-to-invoke-secured-backend-service-using-wso2-esb/

Related

elasticdump with TLS - unable to verify the first certificate

Using elasticsearch 7.9.3 with TLS security. I can connect to it via python, curl and openssl using the ca certificates I generated.
# These work, but this is a fake domain name
openssl s_client -connect node0:9200 -CAfile /etc/elasticsearch/certs/ca.pem
curl --cacert /etc/elasticsearch/certs/ca.crt -u "elastic:$ELASTIC_PASS" 'https://node0.elastic.test.com:9200/_cat/health'
# Node / elasticdump is not happy
$ elasticdump --input=./account_mapping.json --output="https://elastic:$ELASTIC_PASS#node0.elastic.test.com:9200/account" --type=mapping
Thu, 19 Nov 2020 21:28:50 GMT | starting dump
Thu, 19 Nov 2020 21:28:50 GMT | got 1 objects from source file (offset: 0)
Thu, 19 Nov 2020 21:28:50 GMT | Error Emitted => unable to verify the first certificate
Thu, 19 Nov 2020 21:28:50 GMT | Error Emitted => unable to verify the first certificate
Thu, 19 Nov 2020 21:28:50 GMT | Total Writes: 0
Thu, 19 Nov 2020 21:28:50 GMT | dump ended with error (get phase) => Error: unable to verify the first certificate
$ npm config set cafile /etc/elasticsearch/certs/ca.pem
# same result
Thu, 19 Nov 2020 21:28:50 GMT | dump ended with error (get phase) => Error: unable to verify the first certificate
$ elasticdump --input=../account_mapping.json --output="https://elastic:$ELASTIC_PASS#node1.elastic.test.com:9200/account" --type=mapping --output-ca=/etc/elasticsearch/certs/ca.pem
# same result
Other posts suggested running with NODE_TLS_REJECT_UNAUTHORIZED=0, but that did not fix the problem in this case.
It works if you provide tlsAuth AND output-ca flags.
$ elasticdump --input=./account_mapping.json --output="https://elastic:$ELASTIC_PASS#node0.elastic.test.com:9200/account" --type=mapping --tlsAuth --output-ca=/etc/elasticsearch/certs/ca.pem

Failed to authenticate w/ Google Authenticator when configuring OpenVPN on OpenWRT

I'm quite new to OpenWRT and I'm facing some problems here.
I set up the OpenVPN server on a Ubuntu using OpenVPN Access Server web GUI, and correspondingly I got the client profile client.ovpn. Also I enabled "Google Authenticator Multi-Factor Authentication". When I configured as a client using client.ovpn, it worked perfectly on my phone, my other PC, but it just failed when I tried to start a client on OpenWRT on my router.
According to https://openvpn.net/vpn-server-resources/connecting-to-access-server-with-linux/, I used openvpn --config client.ovpn --auth-user-pass --auth-retry interact to start a connection, and I was prompted for a username and a password, which makes sense, but then I was never prompted for the authenticator code. Actually when I looked at the response, it did ask me for a code, but I never had a place to enter it. Instead, it asked to enter the username again, thus dropping into a loop. See below: (the forth line from the bottom)
root#OpenWrt:/etc/openvpn# openvpn --config client_gui.ovpn --auth-retry interac
t
Mon Mar 9 19:01:18 2020 Unrecognized option or missing or extra parameter(s) in client_gui.ovpn:124: static-challenge (2.4.7)
Mon Mar 9 19:01:18 2020 OpenVPN 2.4.7 mipsel-openwrt-linux-gnu [SSL (mbed TLS)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Mon Mar 9 19:01:18 2020 library versions: mbed TLS 2.16.3, LZO 2.10
Enter Auth Username:london
Enter Auth Password:
Mon Mar 9 19:01:24 2020 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Mon Mar 9 19:01:24 2020 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Mar 9 19:01:24 2020 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Mar 9 19:01:24 2020 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Mar 9 19:01:24 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.8.222:1194
Mon Mar 9 19:01:24 2020 Socket Buffers: R=[163840->163840] S=[163840->163840]
Mon Mar 9 19:01:24 2020 UDP link local: (not bound)
Mon Mar 9 19:01:24 2020 UDP link remote: [AF_INET]192.168.8.222:1194
Mon Mar 9 19:01:24 2020 TLS: Initial packet from [AF_INET]192.168.8.222:1194, sid=fb509f08 f4ae8b1f
Mon Mar 9 19:01:24 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Mar 9 19:01:24 2020 VERIFY OK: depth=1, CN=OpenVPN CA
Mon Mar 9 19:01:24 2020 VERIFY OK: nsCertType=SERVER
Mon Mar 9 19:01:24 2020 VERIFY OK: depth=0, CN=OpenVPN Server
Mon Mar 9 19:01:24 2020 Control Channel: TLSv1.2, cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384, 2048 bit key
Mon Mar 9 19:01:24 2020 [OpenVPN Server] Peer Connection Initiated with [AF_INET]192.168.8.222:1194
Mon Mar 9 19:01:25 2020 SENT CONTROL [OpenVPN Server]: 'PUSH_REQUEST' (status=1)
Mon Mar 9 19:01:25 2020 AUTH: Received control message: AUTH_FAILED,CRV1:R,E:PG_09HT0rZcjdFd6GnA:bG9uZG9u:Enter Authenticator Code
Mon Mar 9 19:01:25 2020 SIGUSR1[soft,auth-failure] received, process restarting
Mon Mar 9 19:01:25 2020 Restart pause, 5 second(s)
Enter Auth Username:
How can I solve this problem? Is there anything to be modified in client.ovpn? Thank you!
In 18.04, Create a file userpass in same directory as client.ovpn.
Userpass should contains 2 lines
username in first line
password in second line
and save the file, open new terminal, Execute the script.
openvpn --config client.ovpn --auth-user-pass userpass --auth-retry interact
In 16.04
Execute the following code
sudo -s
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg|apt-key add -
echo "deb http://build.openvpn.net/debian/openvpn/stable xenial main" > /etc/apt/sources.list.d/openvpn-aptrepo.list
apt-get update
apt-get dist-upgrade
Create a file userpass in same directory as client.ovpn.
Userpass should contains 2 lines
username in first line
password in second line
and save the file, open new terminal, Execute the script.
openvpn --config client.ovpn --auth-user-pass userpass --auth-retry interact

Email header: last 'received: from' header IP is 127.0.0.1

Have a question about the structure of email headers.
I've been analyzing spam sent through my Postfix MTA, and have noticed a small amount (< 5%) have the localhost address 127.0.0.1 as the final 'received: from header'.
The 2nd-to-last header shows the IP of the spam mail server.
I'm assuming that the spammer is relaying through an MTA on his local box to a remote server, and that's why the last received header (which represents the first in the sending chain) is showing the localhost IP.
I have an example below of an actual header with my servers info changed for privacy (spammer's is real).
Just wanted confirmation that my assumption is correct on this.
Return-Path: <ProsventUltraBlend#operantish.com>
Delivered-To: acme2#mx.acme.net
Received: from localhost (localhost [127.0.0.1])
by mx.acme.net (Postfix) with ESMTP id XXXXXXXXX
for <me#acme.net>; Thu, 30 Mar 2017 16:08:16 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mydomain = acme.com
Received: from mx.acme.net ([127.0.0.1])
by localhost (mx.acme.net [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id XXXXXXXX for <me#acme.net>;
Thu, 30 Mar 2017 16:08:15 -0400 (EDT)
Received: from layrbc.operantish.com (layrbc.operantish.com [66.118.137.94])
by mx.acme.net (Postfix) with ESMTP id 0A576D1FAE8
for <me#acme.net>; Thu, 30 Mar 2017 16:08:14 -0400 (EDT)
Received: from 025a1bf3.layrbc.operantish.com ([127.0.0.1]:19719 helo=layrbc.operantish.com)
by layrbc.operantish.com with ESMTP id 02DYCACOHN5A1BOPBVDGQKF3;
for <me#acme.net>; Thu, 30 Mar 2017 13:08:13 -0700
Date: Thu, 30 Mar 2017 13:08:13 -0700
I know hardly any more than Jon Snow, but I do know that 127.0.0.1 can appear in mail headers. I.e. when a spam filter takes the mail, checks it and sends it on it's way.

Live streaming on azure with FMLE

I am trying to stream to the new azure live channel.
I have followed the guide on http://azure.microsoft.com/blog/2014/09/18/azure-media-services-rtmp-support-and-live-encoders/
this is my FMLE setup: http://i.stack.imgur.com/U8rlk.png
but for some reason I am getting disconnected by the azure service. I am using Flash Media Live encoder 3.2 and this is what the log looks like:
Thu Oct 09 2014 16:33:30 : Video Encoding Started
Thu Oct 09 2014 16:33:39 : Primary - Network Status: NetConnection.Connect.Closed status
Thu Oct 09 2014 16:33:45 : Primary - Disconnected
Thu Oct 09 2014 16:33:48 : Primary - Re-establishing connection, attempt 1
Thu Oct 09 2014 16:33:48 : Primary - Reconnected
Thu Oct 09 2014 16:33:48 : Primary - Network Command: onBWDone
Thu Oct 09 2014 16:33:48 : Primary - Stream[mystream9] Status: Success
Thu Oct 09 2014 16:33:48 : Primary - Stream[mystream9] Status: NetStream.Publish.Start
Thu Oct 09 2014 16:33:56 : Primary - Network Status: NetConnection.Connect.Closed status
Thu Oct 09 2014 16:33:58 : Video Encoding Stopped
Thu Oct 09 2014 16:33:58 : Session Stopped
Thu Oct 09 2014 16:34:01 : Primary - Disconnected
Thu Oct 09 2014 16:34:01 : Audio source does not support the selected sample rate and/or channels. Re-sampling the audio to desired setting.
Thu Oct 09 2014 16:34:02 : Primary - Re-establishing connection, attempt 1
Thu Oct 09 2014 16:34:02 : Primary - Reconnected
Thu Oct 09 2014 16:34:05 : Primary - Network Status: NetConnection.Connect.Closed status
Thu Oct 09 2014 16:34:05 : Primary - Disconnected
Edit:
Oh well I decided not to go for azure live streaming. Reasons are many. They let you only output to mpeg-dash which frankly is not ready for the world as of now. There are few players who support that out of box. Because of the smooth streaming crap from microsoft, we the encoders, are forced into limiting our encoding options. Alot of encoding software today dont have all the option that is required to stream such as frame alignment, grouping of pictures etc. Its kinda sad that I can stream with h264 but not x264 which is opensource and better.

Pass private key password to openvpn command directly in Ubuntu 10.10 [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 5 years ago.
Improve this question
I tried the method with different parameter
I have password.
Here below password is mypassword
1)
root$ echo mypassword || openvpn client.conf.ovpn
the result was display:
mypassword
2)
root$ openvpn client.warriors.conf.ovpn || echo mypassword
the result was display:
Thu Jun 28 00:00:00 2012 us=757575 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Enter Private Key Password:
(still need to enter password manualy )
I don't want to have to enter the password manually. How can I achieve this?
3)
DUDE
After running the script it exit out with following:
Fri Jun 29 11:56:59 2012 us=707916 cf_max = 0
Fri Jun 29 11:56:59 2012 us=707925 cf_per = 0
Fri Jun 29 11:56:59 2012 us=707934 max_clients = 1024
Fri Jun 29 11:56:59 2012 us=707944 max_routes_per_client = 256
Fri Jun 29 11:56:59 2012 us=707953 auth_user_pass_verify_script = '[UNDEF]'
Fri Jun 29 11:56:59 2012 us=707963 auth_user_pass_verify_script_via_file = DISABLED
Fri Jun 29 11:56:59 2012 us=707973 ssl_flags = 0
Fri Jun 29 11:56:59 2012 us=707982 port_share_host = '[UNDEF]'
Fri Jun 29 11:56:59 2012 us=707992 port_share_port = 0
Fri Jun 29 11:56:59 2012 us=708001 client = ENABLED
Fri Jun 29 11:56:59 2012 us=708010 pull = ENABLED
Fri Jun 29 11:56:59 2012 us=708020 auth_user_pass_file = '[UNDEF]'
Fri Jun 29 11:56:59 2012 us=708032 OpenVPN 2.1.0 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Jul 12 2010
Fri Jun 29 11:56:59 2012 us=708131 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Enter Private Key Password:
Fri Jun 29 11:56:59 2012 us=726649 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Jun 29 11:56:59 2012 us=726805 WARNING: file 'client-team-20110222.key' is group or others accessible
Fri Jun 29 11:56:59 2012 us=727136 /usr/bin/openssl-vulnkey -q -b 1024 -m <modulus omitted>
Fri Jun 29 11:56:59 2012 us=875611 Control Channel MTU parms [ L:1543 D:140 EF:40 EB:0 ET:0 EL:0 ]
Fri Jun 29 11:56:59 2012 us=876742 Data Channel MTU parms [ L:1543 D:1450 EF:43 EB:4 ET:0 EL:0 ]
Fri Jun 29 11:56:59 2012 us=876777 Local Options String: 'V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_CLIENT,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Fri Jun 29 11:56:59 2012 us=876788 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_SERVER,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Fri Jun 29 11:56:59 2012 us=876810 Local Options hash (VER=V4): 'd902a8f8'
Fri Jun 29 11:56:59 2012 us=876825 Expected Remote Options hash (VER=V4): '7e078940'
Fri Jun 29 11:56:59 2012 us=877124 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Fri Jun 29 11:56:59 2012 us=877145 Attempting to establish TCP connection with [AF_INET]89.105.130.193:444 [nonblock]
Fri Jun 29 11:57:00 2012 us=877280 TCP connection established with [AF_INET]89.105.130.193:444
Fri Jun 29 11:57:00 2012 us=877337 Socket Buffers: R=[87380->131072] S=[16384->131072]
Fri Jun 29 11:57:00 2012 us=877353 TCPv4_CLIENT link local: [undef]
Fri Jun 29 11:57:00 2012 us=877364 TCPv4_CLIENT link remote: [AF_INET]89.105.130.193:444
Fri Jun 29 11:57:00 2012 us=877568 TLS: Initial packet from [AF_INET]89.105.130.193:444, sid=c5d843bc e9f3e6ab
Fri Jun 29 11:57:04 2012 us=105788 VERIFY OK: depth=1, /C=IE/ST=NA/L=DUB/O=ABC.OpenVPN/OU=server-terminus/CN=terminus/emailAddress=ops#abc.com
Fri Jun 29 11:57:04 2012 us=106189 VERIFY OK: nsCertType=SERVER
Fri Jun 29 11:57:04 2012 us=106202 VERIFY OK: depth=0, /C=IE/ST=NA/O=abc.OpenVPN/OU=server-terminus/CN=terminus/emailAddress=ops#abc.com
root#bond$
exit in this way is it normal.
In my openvpn.conf:
...
askpass /etc/openvpn/jdoe.pass <<< new line here
ca /etc/openvpn/jdoe_ca.crt
cert /etc/openvpn/jdoe.crt
key /etc/openvpn/jdoe.key
...
The file /etc/openvpn/jdoe.pass just contains the password.
You can chmod this file to 600.
This method save my life... ;-)
Ubuntu 12.04.4 LTS
OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Mar 13 2014
How about storing it into a file and using --askpass /your/file? --askpass option was added in OpenVPN version 2.0-beta20, Maverick has version 2.1.0-3ubuntu1.
Try a shell script such as:
#!/usr/bin/expect -f
spawn openvpn client.warriors.conf.open
match_max 100000
expect "*?assword:*"
send -- "mypassword"
send -- "\r"
expect eof
You'll need to chmod +x this, you can also set it as an environment variable so you don't have to type out the directory.
Looks like they got this script to work: https://unix.stackexchange.com/questions/9055/establish-openvpn-tunnel-in-bash-script
I think you just swipe | and || operator.
| plug standard output o the previous command to standard input of the next command.
|| launch second command only if first command fail (exit code != 0).
this command should work.
root$ echo mypassword | openvpn client.conf.ovpn

Resources