Hi Bhashinee Akka, It was a mistake to put that parameter value as "optional" since we are not providing optional support. I will change it as false or "not required".
Thank You On Mon, Oct 22, 2018 at 3:07 PM Bhashinee Nirmali <[email protected]> wrote: > Hi Chamindu, > > On Mon, Oct 22, 2018 at 10:22 AM Chamindu Udakara <[email protected]> > wrote: > >> >> >> >> Hi All, >> >> The project I have chosen is Certificate based authentication for micro >> gateway. >> >> *Problem* >> >> - >> >> Micro-gateway does not have certificate based authentication or >> Mutual TLS establishment and micro-gateway can authenticate a request >> using >> OAuth2 token only. This is an overhead for trusted clients who are using >> this product because of the token generation and life cycle of OAuth2 >> tokens. >> >> *Solution* >> >> - >> >> This project is carried out to overcome above limitation by providing >> Mutual TLS (Certificate based authentication) to micro-gateway. >> >> >> *Design * >> >> >> Configure mutualSSL feature at runtime level in configuration >> >> >> >> MutualSSL feature can be enabled for a micro-gateway after it was built >> by changing a property from “micro-gw.conf” file. There is a property as >> “sslVerifyClient” in this “micro-gw.conf” file under “[mtslConfig]” >> Instance ID. By default this value is set to “false”. >> >> When this, >> >> sslVerifyClient = “false” >> >> property is shows as above the micro-gateway will function as previous by >> using OAuth or JWT tokens as authentication. >> >> To enable mutualSSL in a micro-gateway user has to change this >> “sslVerifyClient” as follows, >> >> sslVerifyClient = “require” >> >> and user has to change KeyStore path and KeyStore password in this >> “micro-gw.conf” file. These “keyStore.path” property and >> “keyStore.password” property under “[listenerConfig]” instance ID has to be >> changed. >> >> By enabling this MutualSSL feature in micro-gateway authentication >> process is done in the transport layer and therefore OAUth headers or JWT >> token will not be needed for requests from trusted clients. If the >> mutualSSL is enable in the micro-gateway, “Authentication_Filter” and >> “Authorization_Filter” will be skipped by newly introduces >> “Mutual_SSL_Filter”. And the details needed for throttling also append by >> this “Mutual_SSL_Filter”. Then listener.bal file looks as follows, >> >> >> endpoint gateway:APIGatewaySecureListener apiSecureListener { >> >> port:9095, >> >> filters:[ mtslFilter, authnFilter, authorizationFilter, >> subscriptionFilter, throttleFilter, analyticsFilter, extensionFilter] >> >> }; >> >> >> micro-gw.conf will change as follows, >> >> >> >> >> >> >> [mtslConfig] >> protocolName="TLS" >> >> protocolVersions=["TLSv1.2", "TLSv1.1"] >> >> >> ciphers=["TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", >> >> "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256","TLS_RSA_WITH_AES_128_CBC_SHA256","TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256", >> >> "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256","TLS_DHE_RSA_WITH_AES_128_CBC_SHA256","TLS_DHE_DSS_WITH_AES_128_CBC_SHA256", >> "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA"," >> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","TLS_RSA_WITH_AES_128_CBC_SHA", >> >> "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA","TLS_ECDH_RSA_WITH_AES_128_CBC_SHA"," >> TLS_DHE_RSA_WITH_AES_128_CBC_SHA", >> >> "TLS_DHE_DSS_WITH_AES_128_CBC_SHA","TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" >> >> ,"TLS_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256", >> "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"," >> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256","TLS_DHE_DSS_WITH_AES_128_GCM_SHA256" >> >> ,"TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA","TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA","SSL_RSA_WITH_3DES_EDE_CBC_SHA", >> "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA"," >> TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA","SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA", >> "SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"," >> TLS_EMPTY_RENEGOTIATION_INFO_SCSV"] >> >> > I hope the above configurations(protocolName, protocolVersions, ciphers) > are not mandatory fields to enable mutual SSL. Because these are not > specific to mutual SSL. They can be configured in 1 way SSL as well. So how > about changing the name [mtslConfig] to [SslConfig]? > > >> >> sslVerifyClient="optional" >> > > What do you mean by setting sslVerifyClient="optional"? Does that mean > that you first check if the mutual SSL has succeeded and if it has > succeeded you skip OAuth or JWT tokens authentication and if mutual SSL > fails, you continue with OAuth or JWT tokens authentication as well? > > > >> >> Thank You >> >> -- >> *Chamindu Udakara * >> *Software engineering Intern* >> WSO2 (University of Moratuwa) >> *mobile *: *+94 755285531* | *email *: [email protected] >> >> >> -- >> *Chamindu Udakara * >> *Software engineering Intern* >> WSO2 (University of Moratuwa) >> *mobile *: *+94 755285531* | *email *: [email protected] >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> > > > -- > *Bhashinee Nirmali* > *Software Engineer* > *WSO2 Lanka (Private) Limited: **http://wso2.com > <http://www.google.com/url?q=http%3A%2F%2Fwso2.com&sa=D&sntz=1&usg=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg>* > *lean.enterprise.middle-ware* > > > *phone: (+94) 71 21 50003* > <http://wso2.com/signature> > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > -- *Chamindu Udakara * *Software engineering Intern* WSO2 (University of Moratuwa) *mobile *: *+94 755285531* | *email *: [email protected]
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
