Integrate With Mutual Certificate Authentication based Service


There are many ways to secure a Service/API using different Authentication mechanisms. Mutual Certificate authentication(AKA: Client Certificate Authentication) is one of the ways to secure Service or API.

Recently I was trying to integrate with an API which is secured using Mutual Certificate Authentication. In this scenario, the backend service team gave me their certificate-based on PKCS#12.

When integrating this backend system with WSO2 Platform, we have to use 'Multi-HTTPS transport'. With this 'Multi-HTTPS transport', it will grant great flexibility to define different SSL profiles with separate trust stores and key stores for different IPs or hosts. This custom SSL profile can be implemented for Client to Synapse Runtime(Client --> ESB) or Synapse Runtime to Backend(ESB --> Backend). If it is Client to ESB, then you have to define custom SSL Profiles in the transportReceiver section.

In my use-case, it was for ESB to Backend. So I had to add custom SSL profiles into the transportSender section of the axis2.xml file. Since I have a PKCS#12 based certificate file, I don't need to convert it to JKS or anything.

Let's assume Mutual Certificate Authentication based backend API URL is https://backendhost.com/api/users. The Custom SSL profiles configuration in the axis2.xml(or senderprofiles.xml in WSO2 EI 7) is like below.


<transportSender name="https" class="org.apache.synapse.transport.passthru.PassThroughHttpSSLSender">
	<parameter name="non-blocking" locked="false">true</parameter>
	<parameter name="keystore" locked="false">
		<KeyStore>
			<Location>repository/resources/security/wso2carbon.jks</Location>
			<Type>JKS</Type>
			<Password>wso2carbon</Password>
			<KeyPassword>wso2carbon</KeyPassword>
		</KeyStore>
	</parameter>
	<parameter name="truststore" locked="false">
		<TrustStore>
			<Location>repository/resources/security/client-truststore.jks</Location>
			<Type>JKS</Type>
			<Password>wso2carbon</Password>
		</TrustStore>
	</parameter>
	<parameter name="customSSLProfiles">
		<profile>
			<servers>backendhost.com:443</servers>
			<KeyStore>
				<Location>repository/resources/security/backendcertificate.p12</Location>
				<Type>PKCS12</Type>
				<Password>certificatePassword</Password>
				<KeyPassword>certificatePassword</KeyPassword>
			</KeyStore>
		</profile>			
	</parameter>
	<!--<parameter name="HostnameVerifier">DefaultAndLocalhost</parameter>-->
	<!--supports Strict|AllowAll|DefaultAndLocalhost or the default if none specified -->
</transportSender>

Docs:

Multi-HTTPS Transport -  WSO2 ESB/EI

Comments

Popular posts from this blog

Building a RESTFul Service using Spring Boot

Secure Spring Boot REST API using Basic Authentication

Yield Price Sri Lanka - Android Application