In contrast to the usual one-way SSL authentication where a client verifies the identity of the server, in mutual SSL the server validates the identity of the client so that both parties trust each other. This builds a system that has a very tight security and avoids any requests made to the client to provide the username/password, as long as the server is aware of the certificates that belong to the client.
This section explains how to secure your backend by enabling mutual SSL between the API Gateway and your backend. To establish a secure connection with the backend service, API Manager needs to have the public key of the backend service in the truststore. Similarly, the backend service should have the public key of API Manager in the truststore.
Export the certificates
Generate the keys for the backend. A sample command is given below.
The keystore will be generated in your target folder.
Export the certificate from the keystore. A sample command is given below.
Import the generated backend certificate to the API Manager truststore file as shown below
Export the public certificate from API Manager's keystore. The
<APIM_HOME>/repository/resources/security/wso2carbon.jksfile which is the default keystore shipped with WSO2 API Manager is used in this example. Use the command below to generate the certificate for the default keystore. Give the default passoword
To change the default keystore, generate a keystore file and copy it to the
<APIM_HOME>/repository/resources/securityfolder. After copying the keystore, generate the certificate as shown in step 2.
Import the generated certificate to your backend truststore.
You have now successfully exported the certificates for mutual SSL.
Configure API Manager to enable dynamic SSL profiles
To configure APIM for Dynamic SSL Profiles for HTTPS transport Sender, you need to create a new XML file
<APIM_HOME>/repository/deployment/server/multi_ssl_profiles.xml (this path is configurable) and copy the below configuration into it. This will configure client-truststore.jks as Trust Store for all connections to <localhost:port>.
To enable dynamic loading of this configuration, add below configurations to the Transport Sender configuration (
PassThroughHttpSSLSender) of API Manager (
<APIM_HOME>/repository/conf/axis2.xml). Set above file’s path as the
You can start API Manager using the following options, to see the SSI debug logs.