Implementing a Data Diode with WSO2 ESB

Data Diode is the data pattern that ensures unidirectional data flow between networks and is useful for enterprises who want to connect networks with different security levels. This patterns will be used to ensure that data is only allowed to flow from the low side (low security network) to high side (high security network). This type of a dataflow, in most cases is controlled at the network level, but if a need arise to control this at a data layer this EIP pattern can be used. Let’s look at the image below

Diode

As you can see in this diagram, two WSO2 ESB’s reside on two sides of the network. The ESB in the unsecure network is connected to different applications in the unsecured network. It also connects to the ESB in the secure network and the communication is encrypted (if needed integrity and non-repudiation can also be ensured) using WS-Security.

The ESB in the secure network has all its outbound transports (except JMS transport) removed, hence the ESB can only receive messages from the unsecured network whilst it can only send out messages to a pre-designated message queue.

Consumers of this data can listen to the queue and pull messages from the queue once they are queued.

Setting up the ESB to work in this pattern would require the execution of following steps

  1. Remove/Disable all out-going transports except the JMS and local transport. This can be done by disabling/removing all transportSenders from the following configuration file.
<>\repository\conf\axis2\axis2.xml

The transportSender section of the configuration file should only have the two transports below.

<transportSender name="local" class="org.wso2.carbon.core.transports.local.CarbonLocalTransportSender"/>
<transportSender name="jms" class="org.apache.axis2.transport.jms.JMSSender"/>
  1. Configure a message queue, you can configure a JMS or AMQP based message queue. More instruction on how to configure the queue can be found in the following link

https://docs.wso2.com/display/ESB481/ESB+as+a+JMS+Producer

  1. Create a Proxy service as given below.

  1. Finally Secure the proxy service, you can follow the instructions below to secure a proxy service using the WSO2 ESB.

https://docs.wso2.com/display/ESB481/Securing+Proxy+Services

You can now try to invoke the DiodeProxy from the unsecure network, you will notice that no response would be received back from this proxy. Even if a new proxy service is created in the secured ESB, the communication would still be blocked by the ESB as all but the JMS is blocked in the secured ESB.

Creating your own profile in the API Manager

API Manager is shipped with the capability that allows the product to be started in a specific profile(for example a Gateway profile or a Key Manager profile). When the API Manager is started in a specific profile only the features specific to that profile and the common features as started with the server. For example if you start the API Manager with the Key Manager profile, only the features required for the key manager server and the set of features common to all profiles are started.

The feature bundling capability is provided using the underline OSGi architecture of the WSO2 API Manager. The API Manager is currently shipped with some server profiles which are documented in the following URL[1]. This blog looks at how we can create our own profile within the API Manager.

Features relating to a given API Manager profile can be found in the following location

\repository\components\\configuration\org.eclipse.equinox.simpleconfigurator\bundles.info

Bundles.info file contains the features that needs to be started with the given profile.

Lets create a new profile called ‘api-km-pub’. This profile will allow the API Manager to work as a Key Manager and a Publisher. For this profile I will merge the two bundle.info files in ‘api-key-manager’ and ‘api-km-pub’. The merged bundle file should be placed in the following directory structure below

\repository\components\api-km-pub\configuration\org.eclipse.equinox.simpleconfigurator\bundles.info

You can now start the API Manager server with the newly created profile by executing the following command

/bin/wso2server.sh -Dprofile=api-km-pub

[1] https://docs.wso2.com/display/AM180/Product+Profiles