We are using WSO2 integrator 6.4. To be able to connect to 3rd party HTTPS servers, we need to add server's certificate to client-truststore.jks. A lot of servers now use certificates from https://letsencrypt.org with 3 months TTL.
That means we must renew certificates every three months for every 3rd part server in our enviroment otherwise we get "Error in Sender" error.
Is there a way to disable certificate checking in WSO2 EI at all?
Or maybe it is possible to make some automatic scenario to renew certificates in client-truststore.jks?
Or can we check certificates in client-truststore.jks inside wso2 ei itself and send warnings before expiration?
A little basic in TLS trust.
When do you have explicit trust, trusting individual certificates (often done for self-signed certificates). Indeed this approach creates significant management overhead, mainly when onboarding, offboarding new service hosts or with short-lived certificates.
For TLS (SSL) an implicit trust is used. Your application trusts a list of (long lasting) the issuers - Certificate authorities (CA). Event the list of the CA certificates change over time, so some manual management may be necessary anyway.
Is there a way to disable certificate checking in WSO2 EI at all?
Yes, there is (in axis2.xml), but that lowers the security and the traffic would be vulnerable to a man-in-the-middle attack.
We solved this issue by adding only root CA certificates of letsencrypt to client-truststore.jks.
Yes, this is the correct approach. If you have closed environment (not able to access internet), you may need to add all the certificate chain (root and iternmediate signing certificates)
We solved this issue by adding only root CA certificates of letsencrypt to client-truststore.jks. That was enough for wso2ei to trust all servers with certificates of Letsencrypt.
The built-in certificate is causing issues for the API manager to connect to Micro Gateway services when installed on separate server.
How should custom SSL domain certificate needs to be installed. Does this require creation of new Keystore to store the new domain certificates?
We have a Webservice Application running on Tomcat.
This is SSL secured. We need to share our public key to every client trying to access our web services. Is it possible to disable the trust certificate verification ?
By default, all TLS clients should verify the servers to which they are connecting. Any other default behavior would be dangerous.
The client is the party performing the verification in a one-way TLS handshake (that is, when there is no client-authentication being performed where the client also presents a certificate to the server).
There are only two ways to avoid distributing your server's certificate to all possible clients:
Get your server's certificate signed by a trusted Certificate Authority (CA)
Modify all possible clients to ignore any problems with your certificate (such as not trusting it)
These days, with free domain certificates available from e.g. Let's Encrypt, it's silly not to use a certificate signed by a legitimate CA.
I have deployed node js app to ec2 instance of single instance type through elasticbeanstalk. After this I deployed my app through amazon api gateway. My EC2 instance is public. I want to restrict it in such a way that it only accepts request from amazon api gateway.
To do this I am following this https://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.html
I generated a client side certificate through api gateway but I don't know how to use or install this certificate on EC2 instance so that EC2 instance accepts requests only from aws api gateway. I am using Node js server in my application.
Please help.
The API Gateway client certificate feature does not use ACM certificates.
For client certificates, API Gateway generates its own, self-signed certificates and makes the PEM-encoded public key of the client certificate available to you for configuring you web server. API Gateway keeps the certificate's private key and uses it when making requests to your web server. By design, there is no way to export the private key from API Gateway so you can be certain that the caller is API Gateway as no one else can get the private key.
To get the PEM-encoded public key of the client certificate, call get-client-certificate as documented here
Note that you must also configure you web server with a server certificate signed by a certificate authority which API Gateway trusts. Don't confuse this with the certificate used for a custom domain name. Those are used for TLS termination of incoming requests to your API. The server certificate I'm talking about for this use case is just used on your backend web server so API Gateway can call it via TLS.
It is recommended that you obtain, deploy, configure, and test with your server certificate before you enable the client certificate in API Gateway. Once, you have your server certificate working with API Gateway, then enable the client side certificate and modify your web server to require it.
This article describes how to configure both server side and client side certificates with Node.js.
I have set up a basic API using AWS API Gateway and I would like to link my endpoints to a service I have running on an EC2 instance (using the "HTTP Proxy" integration type). I have read that in order to lock down my EC2 server from only accepting traffic from the API Gateway, I basically have one of two options:
Stick the EC2 instance behind VPC and use Lambda functions (instead of HTTP proxy) that have VPC permissions to act as a "pass through" for the API requests
Create a Client Certificate within API Gateway, make my backend requests using that cert, and verify the cert on the EC2 instance.
I would like to employ a variation of #2 and instead of verifying the cert on the EC2 service instance itself, I would like to instead do that verification on another instance running Haproxy. I have set up a second EC2 instance with Haproxy and have that pointed at my other instance as the backend. I have locked down my service instance so it will only take requests from the Haproxy instance. That is all working. What I have been struggling to figure out is how to verify the AWS Gateway Client Certificate (that I have generated) on the Haproxy machine. I have done tons of googling and there is surprisingly zero information on how to do this exact thing. A couple questions:
Everything I have read seems to suggest that I need to generate SSL server certs on my Haproxy machine and use those in the config. Do I have to do this, or can I verify the AWS client cert without generating any additional certs?
The reading I have done suggests I would need to generate a CA and then use that CA to generate both the server and client certs. If I do in fact need to generate server certs (on the Haproxy machine), how can I generate them if I don't have access to the CA that amazon used to create the gateway client cert? I only have access to the client cert itself, from what I can tell.
Any help here?
SOLUTION UPDATE
First, I had to upgrade my version of HAproxy to v1.5.14 so I could get the SSL capabilities
I originally attempted to generate an official cert with letsencrypt. While I was able to get the API gateway working with this cert, I was not able to generate a letsencrypt cert on the HAproxy machine that the API gateway would accept. The issue surfaced as an "Internal server error" response from the API gateway and as "General SSLEngine problem" in the detailed CloudWatch logs.
I then purchased a wildcard certificate from Gandi, and tried this on the HAproxy machine, but initially ran into the exact same problem. However, I was able to determine that the structure of my SSL cert was not what the API gateway wanted. I googled and found the Gandi chain here:
https://www.gandi.net/static/CAs/GandiStandardSSLCA2.pem
Then I structured my SSL file as follows:
-----BEGIN PRIVATE KEY-----
# private key I generated locally...
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
# cert from gandi...
-----END CERTIFICATE-----
# two certs from file in the above link
I saved out this new PEM file (as haproxy.pem) and used it in my HAproxy frontend bind statement, like so:
bind :443 ssl crt haproxy.pem verify required ca-file api-gw-cert.pem
The api-gw-cert.pem in the above bind statement is a file that contains a client cert that I generated in the API gateway console. Now, the HAproxy machine properly blocks any traffic coming from anywhere but the gateway.
The reading I have done suggests I would need to generate a CA and then use that CA to generate both the server and client certs.
That's one way to do it, but it is not applicable in this case.
Your HAProxy needs to be configured with a working SSL certificate signed by a trusted CA -- not the one that signed the client certificate, and not one you create. It needs to be a certificate signed by a public, trusted CA whose root certificates are in the trust store of the back-end systems at API Gateway... which should be essentially the same as what your web browser trusts, but may be a subset.
Just as your web browser will not speak SSL to a server sporting a self-signed certificate without throwing a warning that you have to bypass, the back-end of API Gateway won't negotiate with an untrusted certificate (and there's no bypass).
Suffice it to say, you need to get API Gateway talking to your HAProxy over TLS before trying to get it to use a client cert, because otherwise you are introducing too many unknowns. Note also that you can't use an Amazon Certificate Manager cert for this, because those certs only work with CloudFront and ELB, neither of which will support client certs directly.
Once the HAProxy is working with API Gateway, you need then to configure it to authenticate the client.
You need ssl and verify required in your bind statement, but you can't verify an SSL client cert without something to verify it against.
I only have access to the client cert itself, from what I can tell.
And that's all you need.
bind ... ssl ... verify required ca-file /etc/haproxy/api-gw-cert.pem.
SSL certs are essentially a trust hierarchy. The trust at the top of the tree is explicit. Normally, the CA is explicitly trusted and anything it has signed is implicitly trusted. The CA "vouches for" the certificates it signs... and for certificates it signs with the CA attribute set, which can also sign certificates under them, extending that implicit trust.
In this case, though, you simply put the client certificate in as the CA file, and then the client certificate "vouches for"... itself. A client presenting the identical certificate is trusted, and anybody else is disconnected. Having just the certificate is not enough for a client to talk to your proxy, of course -- the client also needs the matching private key, which API Gateway has.
So, consider this two separate requirements. Get API Gateway talking to your proxy over TLS first... and after that, authenticating against the client certificate is actually the easier part.
I think you are mixing up server certs and client certs. In this instance API Gateway is the client, and HAProxy is the server. You want HAProxy to verify the client cert sent by API Gateway. API Gateway will generate the certificate for you, you just need to configure HAProxy to verify that certificate is present in every request it processes.
I'm guessing you might be looking at this tutorial where they are telling you to generate the client cert, and then configure HAProxy to verify that cert. The "generate the cert" part of that tutorial can be skipped since API Gateway is generating the cert for you.
You just need to click the "Generate" button in API Gateway, then copy/paste the contents of the certificate it presents you and save that as a .pem file on the HAProxy server. Now I'm not a big HAProxy user, but I think taking the example from that tutorial your HAProxy config would look something like:
bind 192.168.10.1:443 ssl crt ./server.pem verify required