There is a requirement in which client app will accept only certificate based authentication, I believe this can be achieved by enabling mutual SSL Auth in WSO2 EI.
This above scenario will applicable for both Inbound (Client APP --> WSO2 EI)
and Outbound Flow(WSO2 EI --> Client APP)
.
Steps followed in Local system for Testing purpose:
C:\Program Files\Java\jdk1.8.0_291\bin>keytool -genkey -keyalg RSA -alias eitest -keystore "C:\path_eiserver\repository\resources\security\eitest.jks"
C:\Program Files\Java\jdk1.8.0_291\bin>keytool -export -alias eitest -file "C:\path_eiserver\repository\resources\security\eitest_public_cert.cer" -keystore "C:\path_eiserver\\repository\resources\security\eitest.jks"
Post executing above mentioned each steps, i got below WARNING
.
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore C:\ei_pathserver\repository\resources\security\eitest.jks -destkeystore C:\ei_pathserver\repository\resources\security\eitest.jks -deststoretype pkcs12".
Even though got above WARNING
required files generated
Can i ignore above WARNING? if YES
what is the next step to make WSO2 EI REST API as secured with Mutual Authentication? if NO
can i know further steps to be taken care?
References:
May I know the complete steps to achieve this Mutual Authentication in WSO2 EI?
You don't have to create new Keystores to enable MTLS. MTLS simply requires you to import the certificates that need to be validated.
Enabling MTLS for Client EI connection
Inorder to enable MTLS for the Client -> EI
connection follow the steps below.
axis2.xml
under the <transportReceiver name="https" class="org.apache.synapse.transport.passthru.PassThroughHttpSSLListener">
section add the following parameter.<parameter name="SSLVerifyClient">require</parameter>
Note: If you add require
all the connections coming to WSO2 will require MTLS validations, if you want to make MTLS validation optional you can add optional
instead of require
. When set to optional
only if the Client sends its certificate MTLS validation will be performed.
Enabling MTLS for EI and Backend connection
In order to enable MTLS for the EI -> BE
connection follow the steps below.
You can either create a separate Keystore for the connection. Or you can simply point to the existing Keystore and the Trustore.
axis2.xml
and add the following to <transportSender name="https" class="org.apache.synapse.transport.passthru.PassThroughHttpSSLSender">
section.<parameter name="dynamicSSLProfilesConfig">
<filePath>repository/conf/sslprofiles/sslprofiles.xml</filePath>
<fileReadInterval>3600000</fileReadInterval>
</parameter>
then create a file at repository/conf/sslprofiles/sslprofiles.xml
and add the following content.
<parameter name="customSSLProfiles">
<profile>
<servers>your_server_address(e.g: something.test.com)</servers>
<KeyStore>
<Location>repository/resources/security/yourks.jks</Location>
<Type>JKS</Type>
<Password>123456</Password>
<KeyPassword>123456</KeyPassword>
</KeyStore>
<TrustStore>
<Location>repository/resources /security/yourtruststore.jks</Location>
<Type>JKS</Type>
<Password>123456</Password>
</TrustStore>
</profile>
</parameter>
With the above configuration for the connections that are made to something.test.com
MTLS will be applied.