WSO2 3.0.0 APIM中的相互SSL连接问题 [英] Mutual SSL connection issue in WSO2 3.0.0 APIM
问题描述
how does mutual SSL work in wso2, I am following the link https://apim.docs.wso2.com/en/latest/learn/api-security/api-authentication/secure-apis-using-mutual-ssl/ it works in local where domain is localhost
但是在我们的生产环境中,对于我们在本地使用的相同证书和密钥,我们的网关在AWS ALB前面没有网关.
But in our production environment, where our gateway is fronted with AWS ALB it does not work, for the same certificate and key which I used in local.
日志错误
错误-MutualSSLAuthenticator相互SSL身份验证失败[2020-11-02 10:20:56,302]错误-MutualSSLAuthenticator相互SSL身份验证失败
ERROR - MutualSSLAuthenticator Mutual SSL authentication failure [2020-11-02 10:20:56,302] ERROR - MutualSSLAuthenticator Mutual SSL authentication failure
在wso2文档中提到负载均衡器需要满足以下先决条件.
On wso2 documentation is mentioned that the following prerequisites need to be met by the Load Balancer.
终止来自客户端的相互SSL连接.通过HTTP标头将客户端SSL证书传递到网关
Terminate the mutual SSL connection from the client. Pass the client SSL certificate to the Gateway in an HTTP Header
但是从AWS团队中,我知道因此不可能在中间使用ALB来实现Client =后端TLS相互认证".
But from AWS team i came to know that "So is not possible to achieve Client<=>Backend TLS mutual authentication with an ALB in the middle."
如果有人能够消除混乱,那就太好了
It will be great if someone will be able to clear the confusion
推荐答案
在您的方案中,负载均衡器将终止与wso2服务器的SSL连接.
In your scenario, the Load balancer terminates the SSL connection with the wso2 server.
因此,调用请求时,必须在特殊的标头中传递证书.
Hence, you have to pass the certificate in a special header when invoking the request.
X-WSO2-CLIENT-CERTIFICATE
如果默认情况下不显示证书(由于LB级别的SSL终止),它将检查上述标头并提取证书.该证书将根据client-trustore.jks进行检查并通过身份验证.
If the certificate is not presented by default (due to the SSL termination from the LB level), it checks the above header and extracts the certificate. That certificate will be checked against the client-trustore.jks and authenticated.
以下是提取和验证的逻辑.
The following is the logic in which was extracted and verified.
public static X509Certificate getClientCertificate(org.apache.axis2.context.MessageContext axis2MessageContext)
throws APIManagementException {
Map headers =
(Map) axis2MessageContext.getProperty(org.apache.axis2.context.MessageContext.TRANSPORT_HEADERS);
Object sslCertObject = axis2MessageContext.getProperty(NhttpConstants.SSL_CLIENT_AUTH_CERT_X509);
X509Certificate certificateFromMessageContext = null;
if (sslCertObject != null) {
X509Certificate[] certs = (X509Certificate[]) sslCertObject;
certificateFromMessageContext = certs[0];
}
if (headers.containsKey(Utils.getClientCertificateHeader())) {
try {
if (!isClientCertificateValidationEnabled() || APIUtil
.isCertificateExistsInTrustStore(certificateFromMessageContext)){
String base64EncodedCertificate = (String) headers.get(Utils.getClientCertificateHeader());
if (base64EncodedCertificate != null) {
base64EncodedCertificate = URLDecoder.decode(base64EncodedCertificate).
replaceAll(APIConstants.BEGIN_CERTIFICATE_STRING, "")
.replaceAll(APIConstants.END_CERTIFICATE_STRING, "");
byte[] bytes = Base64.decodeBase64(base64EncodedCertificate);
try (InputStream inputStream = new ByteArrayInputStream(bytes)) {
X509Certificate x509Certificate = X509Certificate.getInstance(inputStream);
if (APIUtil.isCertificateExistsInTrustStore(x509Certificate)) {
return x509Certificate;
}else{
log.debug("Certificate in Header didn't exist in truststore");
return null;
}
} catch (IOException | CertificateException | APIManagementException e) {
String msg = "Error while converting into X509Certificate";
log.error(msg, e);
throw new APIManagementException(msg, e);
}
}
}
} catch (APIManagementException e) {
String msg = "Error while validating into Certificate Existence";
log.error(msg, e);
throw new APIManagementException(msg, e);
}
}
return certificateFromMessageContext;
}
希望以上内容可以澄清您的担忧.
Hope the above will clarifies your concerns.
谢谢,Dileepa
Thanks, Dileepa
这篇关于WSO2 3.0.0 APIM中的相互SSL连接问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
