The built-in certificate is causing issues for the API manager to connect to Micro Gateway services when installed on separate server.
How should custom SSL domain certificate needs to be installed. Does this require creation of new Keystore to store the new domain certificates?
Related
I'm creating a simple website. The frontend is stored in S3, and hosted by Cloudfront. I managed to add a trusted SSL certificate to my frontend domain (www.xyz.com) using AWS Certificate Manager.
The backend is running on an EC2 instance. I added a self-signed certificate to it. I'm able to hit the APIs using Postman but the requests from frontend are failing because of the self-signed certificate.
I checked the AWS Certificate Manager again if it could provide me with a cert for my backend server, but it requires a domain. My server is running on an IP and port, and I couldn't find any service that provides a certificate for an IP. I don't want to spend extra money to get a domain for my backend.
So how do I get a trusted SSL certificate for a backend server, running on something like 10.12.12.10:9000?
couldn't find any service that provides a certificate for an IP.
This is because you need domain to obtain valid public certificate. You can't register SSL cert for an IP. But if you already have your own domain www.xyz.com, you can get a certificate for its subdomain, e.g. api.xyz.com.
However, ACM certs can't be used on instances. Thus, you need to get a valid public SSL cert from a third party. A popular choice is https://letsencrypt.org/ with certbot which provides free SSL certificates. By the way, StackOverlow is using letsencrypt for its SSL cert provider, thus its widely used and trusted ssl provider.
Using WSO2 APIM 2.6.0 seems the primary keystore certificate is used for multiple purposes
service (nio-https) SSL - that can be easily changed
signing a JWT token to the API Gateway backend service
thrift SSL endpoint for the Traffic Manager (port 9711)
The issue I have is that in a distributed setup a separate gateway should reach the TM endpoint and the hostname needs to be trusted. So - in theory I can create a self-signed certificate with a new hostname, however a new keypair/certificate will break existing backend validating the JWT token.
In theory I may just create a different self-signed certificate with the same public key, it may be more complex to manage in long run (I don't want to promote this practice).
Question: Is there a way to configure either the JWT signing certificate or the thrift SSL certificate separately? Or disable hostname validation for the throttling service (port 9711)?
(I'm not sure we want to allow disabling the hostname validation globally)
Since you have a distributed setup, this can be achieved easily.
You need to change the certificate in the gateways so that they use that keystore for the TM connection.
Keep the KM keystore as it is so that JWT is signed using the same old keystore.
Right now I have a server which should only be accessible by clients who have a particular valid certificate installed in their browser. This is called two-way SSL and it's a way to authenticate clients. I was wondering if it is possible to implement this in AWS Certificate Manager?
I'm asking this because when I do this manually, I have to generate client certificates on my machine individually using the CA's certificate and key. But when I use AWS Certificate Manager I don't think the key is accessible for me to generate the client certificates. Is that right? Does that mean that I can not use AWS Certificate Manager if I want to implement two-way SSL?
Currently you cannot use AWS ACM issued certificates as client certificates since it only allows to associate with following AWS services.
AWS API Gateway
AWS CloudFront
AWS ELB/ALB
I have deployed node js app to ec2 instance of single instance type through elasticbeanstalk. After this I deployed my app through amazon api gateway. My EC2 instance is public. I want to restrict it in such a way that it only accepts request from amazon api gateway.
To do this I am following this https://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.html
I generated a client side certificate through api gateway but I don't know how to use or install this certificate on EC2 instance so that EC2 instance accepts requests only from aws api gateway. I am using Node js server in my application.
Please help.
The API Gateway client certificate feature does not use ACM certificates.
For client certificates, API Gateway generates its own, self-signed certificates and makes the PEM-encoded public key of the client certificate available to you for configuring you web server. API Gateway keeps the certificate's private key and uses it when making requests to your web server. By design, there is no way to export the private key from API Gateway so you can be certain that the caller is API Gateway as no one else can get the private key.
To get the PEM-encoded public key of the client certificate, call get-client-certificate as documented here
Note that you must also configure you web server with a server certificate signed by a certificate authority which API Gateway trusts. Don't confuse this with the certificate used for a custom domain name. Those are used for TLS termination of incoming requests to your API. The server certificate I'm talking about for this use case is just used on your backend web server so API Gateway can call it via TLS.
It is recommended that you obtain, deploy, configure, and test with your server certificate before you enable the client certificate in API Gateway. Once, you have your server certificate working with API Gateway, then enable the client side certificate and modify your web server to require it.
This article describes how to configure both server side and client side certificates with Node.js.
Working with WSO2 API Manager v1.6.0. I have a signed universal SSL certificate from GoDaddy I want to use. I am able to import the certificate into a new keystore I created along with the intermediate certificate. When attempting to access the API manager via https I am getting an error that the root certificate can not be verified. I believe my issues may be that the certificate chain did not or is not importing correctly.
Found the solution. Was able to import the signed SSL certificate as a trusted Key-Pair into a new keystore.