I am using WSO2 IS and WSO2 EI in our project. Is it possible to bridge communication between these two products using Self Signed Certificate or default keystores given by the products? Currently, EI is throwing certificate_unknown when it is hitting WSO2 IS. Thanks.
Get the self signed public certificates of each product and put them in to the trust store (Usually <HOME>/repository/resources/security) of each other (IS public certificate to EI trust store and EI public certificate to IS trust store).
Related
Using WSO2 APIM 2.6.0 seems the primary keystore certificate is used for multiple purposes
service (nio-https) SSL - that can be easily changed
signing a JWT token to the API Gateway backend service
thrift SSL endpoint for the Traffic Manager (port 9711)
The issue I have is that in a distributed setup a separate gateway should reach the TM endpoint and the hostname needs to be trusted. So - in theory I can create a self-signed certificate with a new hostname, however a new keypair/certificate will break existing backend validating the JWT token.
In theory I may just create a different self-signed certificate with the same public key, it may be more complex to manage in long run (I don't want to promote this practice).
Question: Is there a way to configure either the JWT signing certificate or the thrift SSL certificate separately? Or disable hostname validation for the throttling service (port 9711)?
(I'm not sure we want to allow disabling the hostname validation globally)
Since you have a distributed setup, this can be achieved easily.
You need to change the certificate in the gateways so that they use that keystore for the TM connection.
Keep the KM keystore as it is so that JWT is signed using the same old keystore.
I would like to know an overview of what's the proper way to validate JWT at remote backend server?
I believe I'd need a public key...does API-M expose an endpoint to obtain a public key or do I extract it from wso2carbon.jks?
Thank you!
WSO2 API Manager signs the JWT with the private key of its keystore and you have to export it from the above keystore. We don't provide an endpoint for extracting public key.
Also, it's highly recommended to use your own keystore rather than the one shipped with WSO2 product because that keystore are common to all the products and released publically.
I have created https based api in one of the wso2 esb 5.0.0 server, so now I want to call this https api from another wso2 esb 5.0.0.server. But I am getting SSL certificate error when calling https api from another wso2 esb server.
I have tried after importing localhost and wso2carbon certificates into client trust store and also wso2carbon key stores but no luck.
Does anyone tried ?
Could you please clarify if there is a chance to interconnect a WSO2 Identity Server with an existing corporate IdP using the SAML as federated connection mechanism. What exactly needs to be configured to unify the realm and proxy the authentication with the external IDP?
Thanks in advance for your support.
If you use WSO2 IS as a proxy or a federation bus, then you need to register your IDP and Service provider in WSO2 IS and in your IDP you should register WSO2 IS as a service provider.
If you use WSO2 IS as your service provider, you need to register your existing IDP in WSO2 IS as IDP and WSO2 as service provider in you IDP side.
You can follow this document for more information.
Thanks!
I was planning the following setup:
A proxy service in WSO2 ESB that interacts with a backend service via JMS.
Proxy service clients connects to the WSO2 ESB using https with mutual authentication.
Within the proxy service mediators, information from the client's certificate are needed.
Is there some way the client certificate could be made available to mediators?
You do not need to provide client certificates provided at mediator level. Medeators are put together in a pipes & filter chain, and it is the endpoint at the end that connects to the back-end and it is at the endpoint level, you have to secure it. The blog post on How to invoke secured backend service using WSO2 ESB shows how to ahcive this.
First you have to enable mutual authentication in WSO2 ESB.If you do not know how to do that please refer Enable Mutual SSL for Proxy services in WSO2ESB.Then refer following block post to know how to get client's certificate in class mediator