Certificate based authentication on the microgateway is authenticating a request based on a digital certificate, before granting access to the backend. By way of certificate based authentication the microgateway supports mutual SSL. In mutual SSL, both parties the client and the server identifies themselves in order to create a successful SSL connection. Mutual SSL allows a client to make a request without a username and password, provided that the server is aware of the client's certificate.
Enabling Certificate Based Authentication on WSO2 Microgateway
This tutorial wil be using a microgateway distribution for a single API that is in the Published state. For details on how to create a Microgateway distribution for a group of APIs, see Importing a Group of APIs from WSO2 API Manager.
Lets create a microgateway project/
- Navigate to a preferred workspace folder using the command line. (This location is used to run the Microgateway commands and to generate Microgateway artifacts.)
- Create a project using the command given belowFormat
micro-gw init <project_name>Example
micro-gw init petstore Project 'petstore' is initialized successfully.
Now lets add the API(open API definition) to the project. Navigate to the
/petstore/api_definitionsdirectory. Add the API definition(s) to th
isdirectory. A sample open API definition can be found here.
Build the microgateway distribution for the project using the following command:Format
micro-gw build <project_name>Example
$ micro-gw build petstore Build successful for the project - petstore
Once the above command is executed, An executable file (
/petstore/target/petstore.balx) is created to expose the API via WSO2 API Microgateway
- Navigate to the
<MGW-Toolkit-HOME>/resources/conf folder and open the “micro-gw.conf" file.
- Locate the "sslVerifyClient" property and change the value to "required". This will enable mutual SSL.
Configure the truststore.Change “trustStore.path” property and “trustStore.password” property under “[listenerConfig]” instance ID. The trustore should have the certificate which is used to create SSL connections.
In this tutorial, a self signed certificate is added into the already available ballerina truststore.
Now lets run the micro gateway dokcer runtime mouting executabel file(petstore.balx) and the config file (micro-gw.conf).Format
docker run -d -v <project_target_path>:/home/exec/ -v <micro-gw.conf_directory_path>:/home/ballerina/conf -p <host-HTTPS-port>:<container-HTTPS-port> -p <host-HTTP-port>:<container-HTTP-port> -e project="<MGW-project-name>" <MGW-Docker-image-name>Example
docker run -d -v /wso2am-micro-gw-toolkit-3.0.1/bin/petstore/target:/home/exec/ -v /wso2am-micro-gw-toolkit-3.0.1/resources/conf/:/home/ballerina/conf -p 9095:9095 -p 9090:9090 -e project="petstore" wso2/wso2micro-gw:3.0.1
Invoking an API using certificate based authentication
When invoking an API, you can pass the certificate to the API Microgateway as follows.
The instructions below are based on Firefox 65.0.1.
- Navigate to the browsers certificate management section. on Firefox, navigate to Preferences > Privacy & Security > Certificates
- Add the certificate used for the SSL connection.
- Invoke the REST API using a REST API client from the browser.
- The browser will present a user identification request, to select a certificate in order to use for the SSL connection. Select the certificate you added and click OK.