This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

This page is work in progress!

In contrast to the usual one-way SSL authentication where a client verifies the identity of the server, in mutual SSL the server validates the identity of the client so that both parties trust each other. This builds a system that has a very tight security and avoids any requests made to the client to provide the username/password, as long as the server is aware of the certificates that belong to the client. 

This section explains how to APIs in WSO2 API Manager can be secured using mutual SSL in addition to OAuth2.

Enable securing APIs with mutual SSL

Follow the steps below to enable this feature in WSO2 API Manager.

  1. Create the AM_API_CLIENT_CERTIFICATE table in the APIM DB using the appropriate script given below. Note that the database name will depend on the databases present in your environment. 

  2. Open the <API-M_HOME>/repository/conf/axis2/axis2.xml file. Locate the transportReceiver for https as shown below.

    <transportReceiver name="https" class="org.apache.synapse.transport.passthru.PassThroughHttpSSLListener">

    Change the class name to org.apache.synapse.transport.passthru.PassThroughHttpMultiSSLListener. The sample is given below.

    <transportReceiver name="https" class="org.apache.synapse.transport.passthru.PassThroughHttpMultiSSLListener">


  3. Add the following parameters under transportReceiver similar to the sample given below.

    <parameter name="dynamicSSLProfilesConfig">
	<filePath>repository/resources/security/listenerprofiles.xml</filePath>
	<fileReadInterval>600000</fileReadInterval>
</parameter>
<parameter name="SSLVerifyClient">optional</parameter>

    The dynamicSSLProfilesConfig specifies the file read to load the dynamic SSL profile and the time interval in which it will be read. 
    Note that if the fileReadInterval parameter is set to 600000, it will take at least 10 minutes for the gateway to accept a newly added client certificate, since no files will be read during the set interval. 

     Expand to see the transportReceiver segment after the changes mentioned above have been made...
    <transportReceiver name="https" class="org.apache.synapse.transport.passthru.PassThroughHttpMultiSSLListener">
        <parameter name="port" locked="false">8243</parameter>
        <parameter name="non-blocking" locked="false">true</parameter>
        <!--parameter name="bind-address" locked="false">hostname or IP address</parameter-->
        <!--parameter name="WSDLEPRPrefix" locked="false">https://apachehost:port/somepath</parameter-->
       <parameter name="httpGetProcessor" locked="false">org.wso2.carbon.mediation.transport.handlers.PassThroughNHttpGetProcessor</parameter>
        <parameter name="keystore" locked="false">
            <KeyStore>
                <Location>repository/resources/security/wso2carbon.jks</Location>
                <Type>JKS</Type>
                <Password>wso2carbon</Password>
                <KeyPassword>wso2carbon</KeyPassword>
            </KeyStore>
        </parameter>
        <parameter name="truststore" locked="false">
            <TrustStore>
                <Location>repository/resources/security/client-truststore.jks</Location>
                <Type>JKS</Type>
                <Password>wso2carbon</Password>
            </TrustStore>
        </parameter>
       <!-- ============================================== -->
       <!-- Configuration for Listener Dynamic SSL Profile loading. -->
       <!-- Configured for 10 mins. -->
       <!-- ============================================== -->
       <parameter name="dynamicSSLProfilesConfig">
           <filePath>repository/resources/security/listenerprofiles.xml</filePath>
           <fileReadInterval>600000</fileReadInterval>
       </parameter>
       <parameter name="SSLVerifyClient">optional</parameter>
        <!--<parameter name="SSLVerifyClient">require</parameter>
            supports optional|require or defaults to none -->
</transportReceiver>

  4. Copy the code given below to create the listenerprofiles.xml file in the <API-M_HOME>/repository/resources/security directory.

    <?xml version="1.0" encoding="ISO-8859-1"?>
<parameter name="SSLProfiles">
<profile>
        <bindAddress>0.0.0.0</bindAddress>
         <KeyStore>
            <Location>repository/resources/security/wso2carbon.jks</Location>
            <Type>JKS</Type>
            <Password>wso2carbon</Password>
            <KeyPassword>wso2carbon</KeyPassword>
        </KeyStore>
        <TrustStore>
            <Location>repository/resources/security/client-truststore.jks</Location>
            <Type>JKS</Type>
            <Password>wso2carbon</Password>
        </TrustStore>
        <SSLVerifyClient>optional</SSLVerifyClient>
    </profile>
</parameter>


    The <API-M_HOME>/repository/resources/security directory can be changed according to the file path you have configured in Step 2.


  5. Open the <API-M_HOME>/repository/conf/api-manager.xml file. Set the EnableMTLSForAPIs parameter to true.

    <APIManager>
	...
  <EnableMTLSForAPIs>true</EnableMTLSForAPIs>

  6. Restart the server.


Create an API 

  • No labels