Search code examples
sslwso2wso2-api-managerkeytoolmutual-authentication

Mutual SSL enabled API call is not happening via postman in WSO2 API Manager 4.1.0 GA Release

I am trying Mutual SSL in WSO2 APIM 4.1.0 GA Release. I have created Self signed certificate by using Java Keytool.

OS : Windows 11

Below are the commands to generate certificate:

Creating new Keystore:

keytool -genkey -keyalg RSA -alias dev.wso2.com -keystore "C:\pathtoAPIM\wso2am-4.1.0\repository\resources\security\devwso2.jks" -validity 4000

Convert to pkcs12 format:

keytool -importkeystore -srckeystore C:\pathtoAPIM\wso2am-4.1.0\repository\resources\security\devwso2.jks -destkeystore C:\pathtoAPIM\wso2am-4.1.0\repository\resources\security\devwso2.jks -deststoretype pkcs12

Export public key

keytool -exportcert -alias dev.wso2.com -rfc -file "C:\pathtoAPIM\wso2am-4.1.0\repository\resources\security\devwso2.pem" -keystore "C:\pathtoAPIM\wso2am-4.1.0\repository\resources\security\devwso2.jks"

import the public key to trust store:

keytool -import -alias dev.wso2.com -file "C:\pathtoAPIM\wso2am-4.1.0\repository\resources\security\devwso2.pem" -keystore "C:\pathtoAPIM\wso2am-4.1.0\repository\resources\security\client-truststore.jks"
  • Certificate added successfully into truststore and validated certificate from management console too.

certificate

  • Created API in Publisher portal and enabled Mutual SSL as mandatory

mutual ssl enabled

  • upload a new client certificate and marking OAuth as optional under Application level security

certificate added

  • API is published into devportal.

Invoke an API secured with Mutual SSL using Postman

  • Added the certificate and private key in Certificate tab of Postman settings. Host: dev.wso2.com CRT file: dev.wso2.crt KEY file: devwso2.pem Passphrase: keystorepwd

  • In General tab, SSL Certificate Verification is OFF

API Hit in postman:

api hit

  • As you could see above screenshot, ERROR something like Error: error:0900006e:PEM routines:OPENSSL_internal:NO_START_LINE received in postman.

CURL:

curl -vk  GET "https://dev.wso2.com:8243/mutualsslapi/1.0.0" -H "accept: applicaition/json"  --cert "C:\Development_Avecto\Learning\File\dev.wso2.crt" --key "C:\Development_Avecto\Learning\File\devwso2.pem"

after executing above curl in cmd, getting below ERROR

    * Could not resolve host: GET
* Closing connection 0
curl: (6) Could not resolve host: GET
*   Trying 127.0.0.1:8243...
* Connected to dev.wso2.com (127.0.0.1) port 8243 (#1)
* schannel: disabled automatic use of client certificate
* schannel: Failed to import cert file C:\Development_Avecto\Learning\File\dev.wso2.crt, last error is 0x80092002
* Closing connection 1
curl: (58) schannel: Failed to import cert file C:\Development_Avecto\Learning\File\dev.wso2.crt, last error is 0x80092002

May I know why this Mutual SSL protected API call is not happening? How can we fix this?

Reference Link 1

Reference link 2

Solution

  • Seems like an issue with the certificates that you are using.

    Try with the following commands to generate private key and public certificate out of it.

    Generated a Key

    openssl genrsa -out self.key 2048

    Generated the certificate

    openssl req -key self.key -new -x509 -days 365 -out self.crt

    Then test an API configured as below. Note that certificate has been added to the API under Transport level security. enter image description here

    Then use the key and certificate in the postman as below.

    enter image description here

    You will be able to invoke the API. Test whether similar configuration like this works for Mutual SSL.