Hi All,
The project I have chosen is Certificate based authentication for micro
gateway.
*Problem*
-
Micro-gateway does not have certificate based authentication or Mutual
TLS establishment and micro-gateway can authenticate a request using OAuth2
token only. This is an overhead for trusted clients who are using this
product because of the token generation and life cycle of OAuth2 tokens.
*Solution*
-
This project is carried out to overcome above limitation by providing
Mutual TLS (Certificate based authentication) to micro-gateway.
*Design *
Configure mutualSSL feature at runtime level in configuration
MutualSSL feature can be enabled for a micro-gateway after it was built by
changing a property from “micro-gw.conf” file. There is a property as
“sslVerifyClient” in this “micro-gw.conf” file under “[mtslConfig]”
Instance ID. By default this value is set to “false”.
When this,
sslVerifyClient = “false”
property is shows as above the micro-gateway will function as previous by
using OAuth or JWT tokens as authentication.
To enable mutualSSL in a micro-gateway user has to change this
“sslVerifyClient” as follows,
sslVerifyClient = “require”
and user has to change KeyStore path and KeyStore password in this
“micro-gw.conf” file. These “keyStore.path” property and
“keyStore.password” property under “[listenerConfig]” instance ID has to be
changed.
By enabling this MutualSSL feature in micro-gateway authentication
process is done in the transport layer and therefore OAUth headers or JWT
token will not be needed for requests from trusted clients. If the
mutualSSL is enable in the micro-gateway, “Authentication_Filter” and
“Authorization_Filter” will be skipped by newly introduces
“Mutual_SSL_Filter”. And the details needed for throttling also append by
this “Mutual_SSL_Filter”. Then listener.bal file looks as follows,
endpoint gateway:APIGatewaySecureListener apiSecureListener {
port:9095,
filters:[ mtslFilter, authnFilter, authorizationFilter,
subscriptionFilter, throttleFilter, analyticsFilter, extensionFilter]
};
micro-gw.conf will change as follows,
[mtslConfig]
protocolName="TLS"
protocolVersions=["TLSv1.2", "TLSv1.1"]
ciphers=["TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256","TLS_RSA_WITH_AES_128_CBC_SHA256","TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256","TLS_DHE_RSA_WITH_AES_128_CBC_SHA256","TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA","
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","TLS_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA","TLS_ECDH_RSA_WITH_AES_128_CBC_SHA","
TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_DHE_DSS_WITH_AES_128_CBC_SHA","TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
,"TLS_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256","
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256","TLS_DHE_DSS_WITH_AES_128_GCM_SHA256"
,"TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA","TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA","SSL_RSA_WITH_3DES_EDE_CBC_SHA",
"TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA","
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA","SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
"SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"," TLS_EMPTY_RENEGOTIATION_INFO_SCSV"]
sslVerifyClient="optional"
Thank You
--
*Chamindu Udakara *
*Software engineering Intern*
WSO2 (University of Moratuwa)
*mobile *: *+94 755285531* | *email *: cudak...@gmail.com
--
*Chamindu Udakara *
*Software engineering Intern*
WSO2 (University of Moratuwa)
*mobile *: *+94 755285531* | *email *: cudak...@gmail.com
_______________________________________________
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
