If you have a backend with a self-signed certificate ( or a certificate which is not signed by a Certification Authority (CA), you generally would need to import it the certificate to the client-truststore and restart the server. This feature enables you to , which is cumbersome. However, if you enable dynamic SSL certificate installation on WSO2 API Manager, you can simply upload the backend certificate through via the API Publisher while creating or editing your API without having to manually upload the certificate for the endpoint. Follow the steps below to add a new certificate to any endpoint. Note that this feature only supports only HTTP/REST and HTTP/SOAP endpoints.
Prerequisites
- Ensure that you have downloaded the latest WUM update. For more details, see Updating WSO2 Products in the WSO2 Administration Guide.
- If you are an existing user, follow the instructions given below.
Run the scripts inside the
<APIM<API-M_HOME>/dbscripts/apimgt
directory, according to your preferred database. For instructions on configuring databases, see Set up the database. Verify that the tableAM_CERTIFICATE_METADATA
has been created in your database.Open the <APIMThe configurations for the
PassThroughHTTPSSLSender
parameter is available by default in the<API-M_HOME>/repository/conf/axis2/axis2.xml
file. Add the following code under thePassThroughHTTPSSLSender
parameter. file as shown below.Code Block <transportSender name="https" class="org.apache.synapse.transport.passthru.PassThroughHttpSSLSender"> ... <!-- ============================================== --> <!-- Configuration for Dynamic SSL Profile loading. --> <!-- Configured for 10 mins. --> <!-- ============================================== --> <parameter name="dynamicSSLProfilesConfig"> <filePath>repository/resources/security/sslprofiles.xml</filePath> <fileReadInterval>600000</fileReadInterval> </parameter> </transportSender>
Note The default time to apply the certificate is 10 minutes. You can configure this by changing the
<fileReadInterval>
parameter. Note that the time is given in milliseconds.If you use a different Trust Store/ Keystore configuration in the
axis2.xml
orcarbon.xml
files ,modify the KeyStore and TrustStore location in<APIM<API-M_HOME>/repository/resources/security/sslprofiles.xml
file accordingly. Thesslprofiles.xml
file is configured with the existing client-truststore.jks
Excerpt | |||
---|---|---|---|
|
Info |
---|
After configuring, the certificate will be added to the Gateway nodes which are defined under the Environments in |
...