Dynamic SSL Certificate Installation
- Former user (Deleted)
- Former user (Deleted)
- Former user (Deleted)
- Former user (Deleted)
If you have a backend with a self-signed certificate (or a certificate which is not signed by a CA) you need to import it to the client-truststore and restart the server. This feature enables you to upload the backend certificate through API Publisher while creating or editing your API. Follow the steps below to add a new certificate to any endpoint. Note that this feature supports only HTTP/REST and HTTP/SOAP endpoints.
This is available only as a WUM update and is effective from 27th November 2017 (2017-11-27). For more information on updating WSO2 API Manager, see Updating WSO2 Products.
Prerequisites
- Ensure that you have downloaded the latest WUM update. For more details, see Updating WSO2 Products in the WSO2 Administration Guide.
- If you are an existing user, follow the instructions given below.
Run the scripts inside the
<APIM_WUM_UPDATED_PACK>/dbscripts/apimgtdirectory, according to your preferred database (Alternatively, you can find the script to create only theAM_CERTIFICATE_METADATAfrom the database script and run it ). For instructions on configuring databases, see Set up the database. Verify that the tableAM_CERTIFICATE_METADATAhas been created in your database.Open the
<APIM_HOME>/repository/conf/axis2/axis2.xmlfile. Add the following code under thePassThroughHTTPSSLSenderparameter.<transportSender name="https" class="org.apache.synapse.transport.passthru.PassThroughHttpSSLSender"> ... <!-- ============================================== --> <!-- Configuration for Dynamic SSL Profile loading. --> <!-- Configured for 5 mins. --> <!-- ============================================== --> <parameter name="dynamicSSLProfilesConfig"> <filePath>repository/resources/security/sslprofiles.xml</filePath> <fileReadInterval>600000</fileReadInterval> </parameter> </transportSender>The default time to apply the certificate is 10 minutes. You can configure this by changing the
<fileReadInterval>parameter. Note that the time is given in milliseconds.If you use a different Trust Store/ Keystore configuration in the
axis2.xmlorcarbon.xmlfiles ,modify the KeyStore and TrustStore location in<APIM_WUM_UPDATED_PACK>/repository/resources/security/sslprofiles.xmlfile accordingly. Thesslprofiles.xmlfile is configured with the existing client-truststore.jks
This feature currently supports only the the following formats for keystores and certificates.
- Keystore :
.jks - Certificate :
.crt
If you need to use a certificate in any other format, you can convert it using a standard tool before uploading.
After configuring, the certificate will be added to the Gateway nodes which are defined under the Environments in api-manager.xml. In a clustering setup, as gateway configurations are identical, sync the <APIM_HOME>/repository/resources/security/sslprofiles.xml and <APIM_HOME>/repository/resources/security/client-truststore.jks among the gateway nodes. After the configured interval, the synapse transport will be reloaded in all the gateway nodes.
Adding a certificate
- Log in to the API Publisher. Create a new API or edit an existing API.
- Go to the Implement tab. Click Manage Certificates and click Add New Certificate
Enter the following information and click Upload.
Name Description Alias Enter a name for your certificate. Endpoint Select an endpoint from the dropdown list Certificate Enter the location of your certificate file or click Browse to select through the UI - The uploaded certificate aliases will be displayed.
- You can repeat from step 2 to add a certificate to the sandbox endpoint.
You add only one certificate per endpoint. Make sure that your certificates have not expired.
Deleting a certificate
To delete a certificate, click the icon adjacent to the certificate, as shown below.
