I am getting SSL errors whenever SSL certificates on backend are updated. Is there a way to disable the SSL verification in wso2 api manager gateway
It is not recommended to disable SSL verification for an HTTPS endpoint. It is mandatory to import the backend certificate to the client-trustore file. It is better to use an HTTP endpoint instead of an HTTPS endpoint in these kinds of scenarios.
Related
I have a problem with the implementation of an API Gateway on AWS with Mutual TLS authentication,
I have a custom domain attached to the API Gateway, the instance is configured with load balancer nginx,
custom domain ex: app.sandbox.domain.com
the mutual TLS function on the custom domain
but when I go through the environment url
environment url ex: http://app-sandbox.us-east-1.elasticbeanstalk.com/
mutual TLS authentication does not apply.
You should disable the default endpoint on the API GW - only if it's an HTTP API. This will force mTLS for requests to the endpoint.
Using WSO2 APIM 2.6.0 seems the primary keystore certificate is used for multiple purposes
service (nio-https) SSL - that can be easily changed
signing a JWT token to the API Gateway backend service
thrift SSL endpoint for the Traffic Manager (port 9711)
The issue I have is that in a distributed setup a separate gateway should reach the TM endpoint and the hostname needs to be trusted. So - in theory I can create a self-signed certificate with a new hostname, however a new keypair/certificate will break existing backend validating the JWT token.
In theory I may just create a different self-signed certificate with the same public key, it may be more complex to manage in long run (I don't want to promote this practice).
Question: Is there a way to configure either the JWT signing certificate or the thrift SSL certificate separately? Or disable hostname validation for the throttling service (port 9711)?
(I'm not sure we want to allow disabling the hostname validation globally)
Since you have a distributed setup, this can be achieved easily.
You need to change the certificate in the gateways so that they use that keystore for the TM connection.
Keep the KM keystore as it is so that JWT is signed using the same old keystore.
I can make HTTP REST call inside a BPM Process. How do I do a secure HTTPS call. In Oracle I have to add the certificate to a wallet and then make the call. So how do you do that in WSO2 as it fails if I change the URL from HTTP to HTTPS ?
You have to import the certificates to client-truststore as in this documentation.
I am looking to build an API orchestration layer using API Gateway and Lambda.
For my basic use case I want to have a Python script in Lambda that will just relay the request received at the API Gateway from the client (mobile app in this case) and call an external HTTPS service as the backend.
My question is:
Our mobile client uses client certificates to talk to our HTTPS endpoint today.
How do I go about intercepting that client certificate in my new API Gateway + Lambda setup?
Responded here. Copying the answer below for StackOverflow audience-
===
Unfortunately, API Gateway does not support client certificate validation from clients to API Gateway at the moment. We do, however, support client side SSL certificates for authentication by the backends.
Depending on your use-case, you can use various other options in API Gateway to authenticate/authorize your calls from the mobile client; eg API Keys, Custom Authorizers etc. The request from API Gateway to Lambda should already be encrypted.
Hope that helps,
Ritisha.
I am not sure how client side ssl certifcate works. Please clarify the behavior in following scenario.
In case of Amazon API coupled with client side AWS Generated SSL certificates ,
I wish to know whether these certificates are added by API gateway on invocation of apis or the client who is consuming these apis need to add them.
API Gateway adds the certificate to the request. Your server would then check the certificate attached to the request to verify that the request came from API Gateway.