问题
we have a backend of api which needs client-certificate to be presented when accessing api. we have added the client certificate to repository/resources/security/client-truststore.jks and along with all Root CA and Intermediate Certs. Restarted server.
I believe Wso2 is now able to send call to backend API and returns with Status code 403. it is returning with 403 because the backend api did not receive the client certificate with request...
{
"timestamp": "2017-03-14T21:33:36.523Z",
"status": 403,
"error": "Forbidden",
"message": "Access Denied",
"path": "/registrations"
}
when we execute backend directly from server with certificate, it works fine:
curl -k --cert /tmp/client.pem:changeit -X POST https://10.7.64.36:8443/registrations -H "Content-Type: application/json" -d "{\"primaryAccountNumber\": \"12122121212\"}"
we get a valid response back:
{"registration_id":null,"transaction_id":null,"authentication_code":null,"qr_code_image":null,"registered":null,"status":null,"score":null,"reason_codes":[]}
so how curl is sending --cert in request how to do that in wso2 api manger, please advise how to associate client-certificate to backend url.. so that it will be sent by wso2 api-manager and backend will be able to process the request.
thank you.
回答1:
For mutual ssl you can refer following blog post.
http://ishara-cooray.blogspot.com/2016/07/how-to-secure-your-backend-services-and.html
Here is the important part from the blog post.
Configure API Manager to enable dynamic ssl profiles
To configure APIM for Dynamic SSL Profiles for HHTPS transport Sender, you need to create a new XML file /repository/deployment/server/multi_ssl_profiles.xml (this path is configurable) and copy the below configuration into it.This will configure client-truststore.jks as Trust Store for all connections to 10.100.5.130:9443
<parameter name="customSSLProfiles"> <profile> <servers>10.100.5.130:9443</servers> <TrustStore> <Location>repository/resources/security/client-truststore.jks </Location> <Type>JKS</Type> <Password>wso2carbon</Password> </TrustStore> </profile> </parameter>To enable dynamic loading of this configuration, add below configurations to the Transport Sender configuration (PassThroughHttpSSLSender) of API Manager ({AM_HOME}/repository/conf/axis2.xml). Set above file’s path as “filePath” parameter.
<parameter name="dynamicSSLProfilesConfig"> <filePath>repository/deployment/server/multi_ssl_profiles.xml</filePath> <fileReadInterval>3600000</fileReadInterval> </parameter> <parameter name="HostnameVerifier">AllowAll</parameter>Now both back end service and ESB is configured to use default key stores and API Manager is configured to load dynamic SSL profiles. Restart API Manager. It will show below message in the console confirming that dynamic configurations loaded.
ClientConnFactoryBuilder customSSLProfiles configuration is loaded from path:
来源:https://stackoverflow.com/questions/42822397/wso2-api-manager-how-to-associate-a-client-certificate-to-backend-target-end