Friday, November 19, 2010

SSL Debugging - Part - II - Intercepting traffic between WSO2 Carbon FE and BE

All WSO2 products are based on WSO2 Carbon, which sits as the core for all of them.

We do have a clear Front-End [FE], Back-End [BE] separation - where the FE web application talks to the BE, via web service calls.

This benefits the end user - which adds the flexibility of developing his own client to the corresponding back end functionality in a language independent manner.

All UI components you see in the default distribution talk to the BE services via SOAP over HTTPS.

In case of digging in to an issue - since this is on HTTPS - it's hard to intercept the communication channel and figure what exact messages being passed from FE to BE.

This is how you can do it - to intercept messages flowing over SSL.

Prerequisites:
1. ssldump
2. The private key of WSO2 Carbon, in PEM format - you can download it from here.

Run the following command from where you have the private key, and start any WSO2 Carbon based product - say on HTTPS port 9443

:\> sudo ssldump -Ad -k wso2carbon.pem -p wso2carbon -i lo0 host localhost and port 9443

Make sure to have the correct interface set as per your system.[-i lo0] and start the ssldump before you start the server.

Now you can track all the messages between FE and BE in clear text.
1 8 0.0621 (0.0007) C>SV3.1(203) application_data
---------------------------------------------------------------
POST /services/AuthenticationAdmin HTTP/1.1
Content-Type: application/soap+xml; charset=UTF-8; action="urn:login"
User-Agent: Axis2
Host: localhost:9443
Transfer-Encoding: chunked

---------------------------------------------------------------
1 9 0.0626 (0.0005) C>SV3.1(399) application_data
---------------------------------------------------------------
173
    <?xml version='1.0' encoding='UTF-8'?>
<soapenv:Envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope">
 <soapenv:Body>
  <ns1:login xmlns:ns1="http://authentication.services.core.carbon.wso2.org">
   <ns1:username>admin</ns1:username>
   <ns1:password>admin</ns1:password>
   <ns1:remoteAddress>0:0:0:0:0:0:0:1%0</ns1:remoteAddress>
  </ns1:login>
 </soapenv:Body>
</soapenv:Envelope>
0

---------------------------------------------------------------
1 10 0.2071 (0.1445) S>CV3.1(544) application_data
---------------------------------------------------------------
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=37FC902E5E7C6C0D081E28B4DF067A76; Path=/; Secure
Content-Type: application/soap+xml;charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 19 Nov 2010 02:44:26 GMT

11f
    <?xml version='1.0' encoding='UTF-8'?>
<soapenv:Envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope">
 <soapenv:Body>
  <ns:loginResponse
   xmlns:ns="http://authentication.services.core.carbon.wso2.org">
   <ns:return>true</ns:return>
  </ns:loginResponse>
 </soapenv:Body>
</soapenv:Envelope>

2 comments:

Hasini said...

Thanks a lot Prabath aiya for sharing these debugging tips, which was very helpful...

I would like to add a note on what I encountered while debugging with ssldump:

It printed the output of traffic between FE and BE until login to the carbon server (IS in this case) completes.
But when I tried to perform some actions after login to IS, ssldump terminated with 'ERROR: Length mismatch' in which case I could not capture the soap message that I wanted to monitor.

Following is how I could overcome it:
1. capturing the packets into a file using tcpdump (which is installed when ssldump is installed), with the following command:
sudo tcpdump -i lo host localhost and port 9443 -w file.capp -s 0

2. reading the above file using ssldump with the command:
sudo ssldump -Ad -k wso2carbon.pem -p wso2carbon -r file.capp

In that way I could analyze all the soap messages passed between FE and BE without ssldump being terminated with above error.

Just thought of adding it here hoping it would be helpful if someone encounters the same problem that I did.
Please correct if I have missed anything..
Thanks..
Hasini.

Prabath said...

Thanks a lot Hasini for sharing...