I want to add Not secure https service (https://192.168...) to wso2 esb. import the certificate from [1] to [ESB_HOM]/resources/security/client_truststore.jks VIA
:\>keytool import public_cert.crt -alias myservice -keystore client_truststore.jks
and uncomment parameter in axis2 and change it to the following
<parameter name="HostnameVerifier">AllowAll</parameter>
my cert file name is bank...cert . but my problem don't solved and i can't add this service to wso2.
Related
WSO2 APIM is not invoking backend when hostname is changed.
My APIM server is in AWS running in a docker container. Backend is in Azure App service. When I configure API gateway with localhost in AWS EC2 instance, the published API in gateway is able to invoke backend and fetch data without any issue.
When I do the following changes and try out the same API from AWS, it gives 400 response error without anything in logs
change the host name in deployment.toml and the required gateway urls
create new keystore for SSL communication using CA signed certificate and import it in client-truststore
change the secondary keystore to the new one
Build and run the docker with modified keystores and deployment.toml
Created an image using the dockerfile mentioned in https://github.com/wso2/docker-apim.git under dockerfiles/ubuntu/apim and then performed required changes in deployment.toml and Dockerfile
The API is working fine using curl and from postman. It is giving 400 error only when invoked from Publisher/Devportal UI
I have created https based api in one of the wso2 esb 5.0.0 server, so now I want to call this https api from another wso2 esb 5.0.0.server. But I am getting SSL certificate error when calling https api from another wso2 esb server.
I have tried after importing localhost and wso2carbon certificates into client trust store and also wso2carbon key stores but no luck.
Does anyone tried ?
In WSO2 API Manager, I want to use an WSO2 ESB instance in local to publish API. I mean, I configure in /repository/conf/api-manager.xml an ESB instance like Gateway, like this:
<APIGateway>
<Environments>
<Environment type="hybrid" api-console="true">
<Name>Production and Sandbox</Name>
<Description> Description of environment</Description>
<!--ServerURL>https://${carbon.local.ip}:${mgt.transport.https.port}${carbon.context}/services/</ServerURL-->
<ServerURL>https://localhost:8243/services/</ServerURL>
<!--Username>${admin.username}</Username-->
<Username>admin</Username>
<!--Password>${admin.password}</Password-->
<Password>admin</Password>
<!--GatewayEndpoint>http://${carbon.local.ip}:${http.nio.port},https://${carbon.local.ip}:${https.nio.port}</GatewayEndpoint-->
<GatewayEndpoint>http://localhost:8280,https://localhost:8243</GatewayEndpoint>
</Environment>
</Environments>
<EnableGatewayKeyCache>true</EnableGatewayKeyCache>
<EnableGatewayResourceCache>true</EnableGatewayResourceCache>
<ClientDomainHeader>referer</ClientDomainHeader>
</APIGateway>
I followed this article https://docs.wso2.com/display/AM190/Publish+through+Multiple+API+Gateways and I just changed the configuration according to my ESB instance.
The problem is in API publisher, when I want to publish a new API I get follow error:
Failed to change the life cycle status : Invoking lifecycle action "Publish" failed
NOTE: I changed port of serviceURL from 9443 to 8243 because I couldn't show service list of ESB in my browser, and with 8243 I can see it.
Have you done a feature installation on ESB ?
By default WSO2 ESB does not contain certain features that are required for it to serve as the gateway in this scenario. It is not possible to use ESB here, without a feature installation.
Therefore we recommend you to use an instance of WSO2 API Manager itself as the gateway.
The HTTPS servlet transport port of the Gateway needs to be given as the gateway's <serverURL>.
in wso2 esb i want to add a https proxy service and but when in define proxy service in specity source url use https://... in test url get error :
Invalid WSDL URI (Unable to establish a connection)
and in next step in definr endpoint use of an endpoint https:// ... this error apear :
Unable to validate SSL Certificate of https://....
i try to certificate a crt file and in my https proxy service in wso2\repository\resources\security\client-truststore.jks with keytool
%JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA
and enable https transport sender and recsiever in axis2.xml but my problem do not solve.
I guess, you are trying to connect to a HTTPS endpoint using proxy service. Here you want to import the endpoint server's certificate chain in the the "client-truststore.jks" flie and restart the server. However; by default HTTPS transport sender and receiver are enabled. You may not need to enable them.
But few things to remember..
In transport sender, if you do NOT want to verify the host name of the end point server with its certificate, Please configure "HostnameVerifier" property to "AllowAll". If not, if your end point server's IP and certificate CN are not matched, It would create some errors.
If end point server's certificate is a self signed on, you can just import the server's certificate. If it is a CA singed on, You need to import all the CA certificate chain.
(However most common CA certificates can be found in the "client-truststore.jks" file)
If you want to change the trust store or key store files, you can do it using transport sender configurations. By default trust store file is "client-truststore.jks" Also, if you did any changes to axis2.xml file or key stores, Please restart the server.
Also If you want to expose your proxy service using SSL, you need to enable the "https" in the proxy service. And then your client needs to user ESB server's certificate to call the proxy service.
I was planning the following setup:
A proxy service in WSO2 ESB that interacts with a backend service via JMS.
Proxy service clients connects to the WSO2 ESB using https with mutual authentication.
Within the proxy service mediators, information from the client's certificate are needed.
Is there some way the client certificate could be made available to mediators?
You do not need to provide client certificates provided at mediator level. Medeators are put together in a pipes & filter chain, and it is the endpoint at the end that connects to the back-end and it is at the endpoint level, you have to secure it. The blog post on How to invoke secured backend service using WSO2 ESB shows how to ahcive this.
First you have to enable mutual authentication in WSO2 ESB.If you do not know how to do that please refer Enable Mutual SSL for Proxy services in WSO2ESB.Then refer following block post to know how to get client's certificate in class mediator