wso2 API 经理 |如何将客户端证书关联到后端/目标端点
wso2 API Manager | How to associate a client-certificate to backend / target endpoint
我们有一个 api 的后端,它需要在访问 api 时出示客户端证书。
我们已将客户端证书添加到 repository/resources/security/client-truststore.jks 以及所有根 CA 和中间证书。重新启动服务器。
我相信 Wso2 现在可以向后端 API 和 returns 发送调用,状态代码为 403。它返回 403,因为后端 api 没有收到客户端有要求的证书...
{
"timestamp": "2017-03-14T21:33:36.523Z",
"status": 403,
"error": "Forbidden",
"message": "Access Denied",
"path": "/registrations"
}
当我们使用证书直接从服务器执行后端时,它工作正常:
curl -k --cert /tmp/client.pem:changeit -X POST https://10.7.64.36:8443/registrations -H "Content-Type: application/json" -d "{\"primaryAccountNumber\": \"12122121212\"}"
我们得到有效回复:
{"registration_id":null,"transaction_id":null,"authentication_code":null,"qr_code_image":null,"registered":null,"status":null,"score":null,"reason_codes":[]}
那么 curl 如何在请求中发送 --cert 如何在 wso2 api 管理器中执行此操作,请告知如何将客户端证书关联到后端 url..这样它将由 wso2 api-manager 发送,后端将能够处理请求。
谢谢。
相互ssl可以参考下面的博客post。
http://ishara-cooray.blogspot.com/2016/07/how-to-secure-your-backend-services-and.html
这是博客 post 中的重要部分。
Configure API Manager to enable dynamic ssl profiles
To configure APIM for Dynamic SSL Profiles for HHTPS transport Sender,
you need to create a new XML file
/repository/deployment/server/multi_ssl_profiles.xml (this
path is configurable) and copy the below configuration into it.This
will configure client-truststore.jks as Trust Store for all
connections to 10.100.5.130:9443
<parameter name="customSSLProfiles">
<profile>
<servers>10.100.5.130:9443</servers>
<TrustStore>
<Location>repository/resources/security/client-truststore.jks
</Location>
<Type>JKS</Type>
<Password>wso2carbon</Password>
</TrustStore>
</profile>
</parameter>
To enable dynamic loading of this configuration, add below
configurations to the Transport Sender configuration
(PassThroughHttpSSLSender) of API Manager
({AM_HOME}/repository/conf/axis2.xml). Set above file’s path as
“filePath” parameter.
<parameter name="dynamicSSLProfilesConfig">
<filePath>repository/deployment/server/multi_ssl_profiles.xml</filePath>
<fileReadInterval>3600000</fileReadInterval>
</parameter>
<parameter name="HostnameVerifier">AllowAll</parameter>
Now both back end service and ESB is configured to use default key
stores and API Manager is configured to load dynamic SSL profiles.
Restart API Manager. It will show below message in the console
confirming that dynamic configurations loaded.
ClientConnFactoryBuilder customSSLProfiles configuration is loaded
from path:
我们有一个 api 的后端,它需要在访问 api 时出示客户端证书。 我们已将客户端证书添加到 repository/resources/security/client-truststore.jks 以及所有根 CA 和中间证书。重新启动服务器。
我相信 Wso2 现在可以向后端 API 和 returns 发送调用,状态代码为 403。它返回 403,因为后端 api 没有收到客户端有要求的证书...
{
"timestamp": "2017-03-14T21:33:36.523Z",
"status": 403,
"error": "Forbidden",
"message": "Access Denied",
"path": "/registrations"
}
当我们使用证书直接从服务器执行后端时,它工作正常:
curl -k --cert /tmp/client.pem:changeit -X POST https://10.7.64.36:8443/registrations -H "Content-Type: application/json" -d "{\"primaryAccountNumber\": \"12122121212\"}"
我们得到有效回复:
{"registration_id":null,"transaction_id":null,"authentication_code":null,"qr_code_image":null,"registered":null,"status":null,"score":null,"reason_codes":[]}
那么 curl 如何在请求中发送 --cert 如何在 wso2 api 管理器中执行此操作,请告知如何将客户端证书关联到后端 url..这样它将由 wso2 api-manager 发送,后端将能够处理请求。
谢谢。
相互ssl可以参考下面的博客post。
http://ishara-cooray.blogspot.com/2016/07/how-to-secure-your-backend-services-and.html
这是博客 post 中的重要部分。
Configure API Manager to enable dynamic ssl profiles
To configure APIM for Dynamic SSL Profiles for HHTPS transport Sender, you need to create a new XML file /repository/deployment/server/multi_ssl_profiles.xml (this path is configurable) and copy the below configuration into it.This will configure client-truststore.jks as Trust Store for all connections to 10.100.5.130:9443
<parameter name="customSSLProfiles"> <profile> <servers>10.100.5.130:9443</servers> <TrustStore> <Location>repository/resources/security/client-truststore.jks </Location> <Type>JKS</Type> <Password>wso2carbon</Password> </TrustStore> </profile> </parameter>To enable dynamic loading of this configuration, add below configurations to the Transport Sender configuration (PassThroughHttpSSLSender) of API Manager ({AM_HOME}/repository/conf/axis2.xml). Set above file’s path as “filePath” parameter.
<parameter name="dynamicSSLProfilesConfig"> <filePath>repository/deployment/server/multi_ssl_profiles.xml</filePath> <fileReadInterval>3600000</fileReadInterval> </parameter> <parameter name="HostnameVerifier">AllowAll</parameter>Now both back end service and ESB is configured to use default key stores and API Manager is configured to load dynamic SSL profiles. Restart API Manager. It will show below message in the console confirming that dynamic configurations loaded.
ClientConnFactoryBuilder customSSLProfiles configuration is loaded from path: