How can I get an URL exposed through AWS API Gateway to trigger the notification popup for certificate selection in the browser?
I have an API Gateway that (I hope) has been correctly configure to use mutual TLS authentication. For example, unless I provide the client certificate, a curl request fails. But, when I try to open an URL directly in Firefox, I only get a blocked request in the developer tools' console, rather a popup asking me to select a certificate to use.
I have found that Firefox does not offer the option to import a certificate if there are none already imported. But, after importing it and reloading the URL, it gives the option to select the client certificate I want to use.
Related
I have my API running under IIS 10. I have applied the server certificate to the site. In IIS I have also enabled SSL and I am requiring a client certificate.
The certificate has the full chain with password. In my postman request I am attaching the same certificate to my request but it always comes back 403 forbidden. If I remove the requirement for client certificate on IIS then postman request hits the API.
What am I missing? Additional folder permissions?
I already have IUSR, IIS_IUSR & the app pool
Or do I need to add something to web.confg ?
Thanks for looking
I have set up Mutual TLS authentication for my API Gateway.
I then placed my client certificate in the truststore. The file contains the client certificate, intermediate and root certificates (private CA).
When accessing the API Gateway with a browser (Chrome on Windows), browser asks me to provide client certificate. I select the same certificate as I have placed in the trust store.
API Gateway reports the following in the browser:
{"message":"Invalid client certificate chain. More than one client certificate passed"}
UPDATE: I have also tried placing only intermediate and root certs in the trust store. Same error.
UPDATE 2: The same error is also reported when accessing the API with C# code (WebClient) loading the cert from Windows cert store or from disc (pfx file).
If your trust store doesn't contain all the intermediate CA certs, then the client has to send a multi-cert chain. The TLS handshake will work fine, but somewhere there is an explicit check that disallows multi-cert chains. The status code is 400, not 403(!), and you get the "More than one client certificate passed" error.
However, if you're willing to put all the intermediate CA in the API gateway trust store, then the server should not ask the client to send intermediate certs. The client should only send one cert in this case, and API gateway should work.
So something is going wrong when API gateway matches the initial client cert against the trust store, and it's not finding the intermediate. I would check these things:
Make sure you use a specific version ID with the S3 link to the trust store. Otherwise it's hard to tell which version it's actually using, because the API gateway will not automatically pick up a new version as soon as you add one to S3. Maybe you're not using the trust store you think you are.
Your trust store should only include CA certs -- the root cert and intermediates. You said you put the client cert in there, so maybe that's causing an issue. Try taking it out.
I am using wso2 api manager 2.6.0. I have created a prototyped api. When I try to invoke the api from store api console ,I get an error
TypeError: Failed to fetch
When I take the curl command from the api console and execute it from command prompt on the same server where wso2 api manager is installed I get the expected response.
As it a GET method , If I take the url and execute it on a chrome browser , it takes me the management console page. When I sign in to the management console page , the browser displays Error 405 - Method Not Allowed
When I trigger the endpoint from postman, it returns an html page which is the same management console page.
I have checked that the host and port for the gatewayendpoint and OAuthConfigurations/revokeapiurl are same and the host is whitelisted in the store site.json.
Any idea what is wrong or how can I debug it.
Usually TypeError: Failed to fetch comes because of the self-signed certificate which comes by default with the server. If that is the case, accepting the security certificate from the browser should fix the problem.
From docs[2]:
Troubleshooting
If you cannot invoke the API's HTTPS endpoint (this causes the
SSLPeerUnverified exception), it could be because the security
certificate issued by the server is not trusted by your browser. To
resolve this issue, access the HTTPS endpoint directly from your
browser and accept the security certificate.
If the API Manager has a certificate signed by a Certificate Authority
(CA), the HTTPS endpoints should work out of the box.
[2] https://docs.wso2.com/display/AM260/Invoke+an+API+using+the+Integrated+API+Console
I need to make a secure HTTP callout from Salesforce (using Apex) to AWS Lambda and I build my first version using AWS API Gateway. I realized I can get a client certificate from API Gateway (.crt) but this looks like it is only for AWS backend and is not meant to be for the HTTP request sent to API Gateway. What are my alternatives to establish a secure connection from outside AWS (Salesforce) to a Lambda function?
So far I've found this, which is a disappointing dead-end for now.
Like the link you posted says, API Gateway does not currently support MTLS. Other options for you to add security to the calls at the moment are:
IAM permissions, and here.
API Gateway custom authorizers.
Cognito User Pools.
If you need a custom domain associated with the API Gateway:
Go to Route53 and add your domain (new Hosted Zone), if you haven't done it already.
On AWS Certificate Manager, import or request a certificat for the custom domain you intend to use in your API Gateway endpoints.
Open the API Gateway dashboard and go to "Custom Domain Names". Click "Create a custom domain name" and, in the option "ACM Certificate (region)", select the certificate you generated/imported in item 2 above.
That's it, now you should be able to trigger your Lambda functions using API Gateway from a secure connection (HTTPS). Please note that, if you do this, API Gateway will refuse connections over insecure HTTP protocol.
I'm currently building a web site, and I wanted to know how to ensure that my website appeared as secure in a browser.
Kind of like Facebook:
See how they have that little green secure lock icon (in Chrome)? How can I achieve that on my own website to ensure it's users feel comfortable?
Your browser will display this icon when you navigate to a secured endpoint for the website by using the https scheme instead of http. The browser will connect to port 443 on the server instead of port 80 and will receive one or more certificates from the server.
These certificates form a chain, where one certificate is verified by including the digital signature of a signing authority whose public key is included in another certificate.
Eventually, this chain of trust ends in a certificate that is signed by a signing authority whose public key is included in your browser distribution, so the browser is hardcoded to trust it. If the browser is able to build this chain of trust all the way to a build-in public key, it will display this icon to indicate to the user that the site belongs to whoever the certificate was issued for.
If you click this icon, the browser will display a dialog in which you can find who the certificate was issued to (Subject) and the certificates that build this chain of trust.
See also: https://security.stackexchange.com/questions/20803/how-does-ssl-tls-work and http://en.wikipedia.org/wiki/Transport_Layer_Security
You need to have SSL installed on your server.
You need to use SSL , request to your hosting provider fyi, this is paid services, but few hosting provider give you free SSL services Alpha SSL.