wso2 API 管理器 |如何将客户端证书关联到后端/目标端点 [英] wso2 API Manager | How to associate a client-certificate to backend / target endpoint
问题描述
我们有一个 api 后端,需要在访问 api 时提供客户端证书.我们已将客户端证书添加到 repository/resources/security/client-truststore.jks 以及所有根 CA 和中间证书.重启服务器.
we have a backend of api which needs client-certificate to be presented when accessing api. we have added the client certificate to repository/resources/security/client-truststore.jks and along with all Root CA and Intermediate Certs. Restarted server.
我相信 Wso2 现在能够向后端 API 发送调用并返回状态代码 403.它返回 403,因为后端 API 没有收到请求的客户端证书...
I believe Wso2 is now able to send call to backend API and returns with Status code 403. it is returning with 403 because the backend api did not receive the client certificate with request...
{
"timestamp": "2017-03-14T21:33:36.523Z",
"status": 403,
"error": "Forbidden",
"message": "Access Denied",
"path": "/registrations"
}
当我们使用证书直接从服务器执行后端时,它工作正常:
when we execute backend directly from server with certificate, it works fine:
curl -k --cert /tmp/client.pem:changeit -X POST https://10.7.64.36:8443/registrations -H "Content-Type: application/json" -d "{\"primaryAccountNumber\": \"12122121212\"}"
我们得到了有效的回复:
we get a valid response back:
{"registration_id":null,"transaction_id":null,"authentication_code":null,"qr_code_image":null,"registered":null,"status":null,"score":null,"reason_codes":[]}
那么 curl 如何在请求中发送 --cert 如何在 wso2 api 管理器中执行此操作,请告知如何将客户端证书关联到后端 url .. 以便它将由 wso2 api-manager 发送,后端将是能够处理请求.
so how curl is sending --cert in request how to do that in wso2 api manger, please advise how to associate client-certificate to backend url.. so that it will be sent by wso2 api-manager and backend will be able to process the request.
谢谢.
推荐答案
对于双向 ssl,您可以参考以下博客文章.
For mutual ssl you can refer following blog post.
http:///ishara-cooray.blogspot.com/2016/07/how-to-secure-your-backend-services-and.html
这是博客文章中的重要部分.
Here is the important part from the blog post.
配置 API Manager 以启用动态 ssl 配置文件
要为 HHTPS 传输发送方的动态 SSL 配置文件配置 APIM,您需要创建一个新的 XML 文件/repository/deployment/server/multi_ssl_profiles.xml(这个路径是可配置的)并将以下配置复制到其中.这个将 client-truststore.jks 配置为所有的 Trust Store连接到 10.100.5.130:9443
To configure APIM for Dynamic SSL Profiles for HHTPS transport Sender, you need to create a new XML file /repository/deployment/server/multi_ssl_profiles.xml (this path is configurable) and copy the below configuration into it.This will configure client-truststore.jks as Trust Store for all connections to 10.100.5.130:9443
<parameter name="customSSLProfiles">
<profile>
<servers>10.100.5.130:9443</servers>
<TrustStore>
<Location>repository/resources/security/client-truststore.jks
</Location>
<Type>JKS</Type>
<Password>wso2carbon</Password>
</TrustStore>
</profile>
</parameter>
要启用此配置的动态加载,请在下面添加配置到传输发送器配置API 管理器的 (PassThroughHttpSSLSender)({AM_HOME}/repository/conf/axis2.xml).将上面的文件路径设置为filePath"参数.
To enable dynamic loading of this configuration, add below configurations to the Transport Sender configuration (PassThroughHttpSSLSender) of API Manager ({AM_HOME}/repository/conf/axis2.xml). Set above file’s path as "filePath" parameter.
<parameter name="dynamicSSLProfilesConfig">
<filePath>repository/deployment/server/multi_ssl_profiles.xml</filePath>
<fileReadInterval>3600000</fileReadInterval>
</parameter>
<parameter name="HostnameVerifier">AllowAll</parameter>
现在后端服务和 ESB 都配置为使用默认密钥存储和 API 管理器配置为加载动态 SSL 配置文件.重新启动 API 管理器.它将在控制台中显示以下消息确认加载了动态配置.
Now both back end service and ESB is configured to use default key stores and API Manager is configured to load dynamic SSL profiles. Restart API Manager. It will show below message in the console confirming that dynamic configurations loaded.
ClientConnFactoryBuilder customSSLProfiles 配置已加载从路径:
ClientConnFactoryBuilder customSSLProfiles configuration is loaded from path:
这篇关于wso2 API 管理器 |如何将客户端证书关联到后端/目标端点的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
