On Mon, Jan 7, 2019 at 8:59 AM Chamindu Udakara <[email protected]> wrote:
> Hi Bhashinee, > Yeah it will help us to proceed with validation part in filters. And it > will help to provide the optional support with mutual SSL feature, > Ack. Thanks! > > Thanks > > On Sat, Jan 5, 2019 at 10:50 PM Bhashinee Nirmali <[email protected]> > wrote: > >> Hi All, >> >> To identify whether the mutual SSL authentication has been done >> successfully, will it be okay if we send a parameter in the request saying >> it failed or not? So that we can continue with the filters depending on the >> retrieved value of that parameter. >> >> Thanks, >> Bhashinee >> >> On Sun, Oct 28, 2018 at 7:57 PM Chamindu Udakara <[email protected]> >> wrote: >> >>> Sure, will do that akka. Thanks >>> >>> On Sun, Oct 28, 2018 at 3:39 PM Bhashinee Nirmali <[email protected]> >>> wrote: >>> >>>> Hi Chamindu, >>>> >>>> Can you please initiate a mail thread in [email protected] >>>> mentioning the improvements that you need to come from ballerina side in >>>> order to continue this? So that we can discuss how feasible to provide >>>> these improvements with the ballerina team. >>>> >>>> Thanks, >>>> Bhashinee >>>> >>>> On Tue, Oct 23, 2018 at 12:44 PM Bhashinee Nirmali <[email protected]> >>>> wrote: >>>> >>>>> Hi Rajith, >>>>> >>>>> As of now, Ballerina doesn't support setting mutual SSL to 'optional'. >>>>> It only supports the 'require' option. With that, it requires client >>>>> certificate authentication. The connection will terminate if no suitable >>>>> client certificate is presented. So currently there is no way of doing >>>>> that. Better to create an issue to track this requirement. >>>>> >>>>> Hi Chamindu, >>>>> >>>>> If this is a valid requirement to set it to optional, we'll keep it in >>>>> that way. As we do not support it from Ballerina now, let's keep that >>>>> option disabled. So once the support is given from Ballerina, we can >>>>> continue using that option as well. >>>>> >>>>> Thanks, >>>>> Bhashinee >>>>> >>>>> On Mon, Oct 22, 2018 at 5:16 PM Chamindu Udakara <[email protected]> >>>>> wrote: >>>>> >>>>>> Hi Bhashinee Akka, >>>>>> >>>>>> It was a mistake to put that parameter value as "optional" since we >>>>>> are not providing optional support. I will change it as false or "not >>>>>> required". >>>>>> >>>>>> Thank You >>>>>> >>>>>> On Mon, Oct 22, 2018 at 3:07 PM Bhashinee Nirmali <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Hi Chamindu, >>>>>>> >>>>>>> On Mon, Oct 22, 2018 at 10:22 AM Chamindu Udakara <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Hi All, >>>>>>>> >>>>>>>> The project I have chosen is Certificate based authentication for >>>>>>>> micro gateway. >>>>>>>> >>>>>>>> *Problem* >>>>>>>> >>>>>>>> - >>>>>>>> >>>>>>>> Micro-gateway does not have certificate based authentication or >>>>>>>> Mutual TLS establishment and micro-gateway can authenticate a >>>>>>>> request using >>>>>>>> OAuth2 token only. This is an overhead for trusted clients who are >>>>>>>> using >>>>>>>> this product because of the token generation and life cycle of >>>>>>>> OAuth2 >>>>>>>> tokens. >>>>>>>> >>>>>>>> *Solution* >>>>>>>> >>>>>>>> - >>>>>>>> >>>>>>>> This project is carried out to overcome above limitation by >>>>>>>> providing Mutual TLS (Certificate based authentication) to >>>>>>>> micro-gateway. >>>>>>>> >>>>>>>> >>>>>>>> *Design * >>>>>>>> >>>>>>>> >>>>>>>> Configure mutualSSL feature at runtime level in configuration >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> MutualSSL feature can be enabled for a micro-gateway after it was >>>>>>>> built by changing a property from “micro-gw.conf” file. There is a >>>>>>>> property >>>>>>>> as “sslVerifyClient” in this “micro-gw.conf” file under “[mtslConfig]” >>>>>>>> Instance ID. By default this value is set to “false”. >>>>>>>> >>>>>>>> When this, >>>>>>>> >>>>>>>> sslVerifyClient = “false” >>>>>>>> >>>>>>>> property is shows as above the micro-gateway will function as >>>>>>>> previous by using OAuth or JWT tokens as authentication. >>>>>>>> >>>>>>>> To enable mutualSSL in a micro-gateway user has to change this >>>>>>>> “sslVerifyClient” as follows, >>>>>>>> >>>>>>>> sslVerifyClient = “require” >>>>>>>> >>>>>>>> and user has to change KeyStore path and KeyStore password in this >>>>>>>> “micro-gw.conf” file. These “keyStore.path” property and >>>>>>>> “keyStore.password” property under “[listenerConfig]” instance ID has >>>>>>>> to be >>>>>>>> changed. >>>>>>>> >>>>>>>> By enabling this MutualSSL feature in micro-gateway >>>>>>>> authentication process is done in the transport layer and therefore >>>>>>>> OAUth >>>>>>>> headers or JWT token will not be needed for requests from trusted >>>>>>>> clients. >>>>>>>> If the mutualSSL is enable in the micro-gateway, >>>>>>>> “Authentication_Filter” >>>>>>>> and “Authorization_Filter” will be skipped by newly introduces >>>>>>>> “Mutual_SSL_Filter”. And the details needed for throttling also append >>>>>>>> by >>>>>>>> this “Mutual_SSL_Filter”. Then listener.bal file looks as follows, >>>>>>>> >>>>>>>> >>>>>>>> endpoint gateway:APIGatewaySecureListener apiSecureListener { >>>>>>>> >>>>>>>> port:9095, >>>>>>>> >>>>>>>> filters:[ mtslFilter, authnFilter, authorizationFilter, >>>>>>>> subscriptionFilter, throttleFilter, analyticsFilter, extensionFilter] >>>>>>>> >>>>>>>> }; >>>>>>>> >>>>>>>> >>>>>>>> micro-gw.conf will change as follows, >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> [mtslConfig] >>>>>>>> protocolName="TLS" >>>>>>>> >>>>>>>> protocolVersions=["TLSv1.2", "TLSv1.1"] >>>>>>>> >>>>>>>> >>>>>>>> ciphers=["TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", >>>>>>>> >>>>>>>> "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256","TLS_RSA_WITH_AES_128_CBC_SHA256","TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256", >>>>>>>> >>>>>>>> "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256","TLS_DHE_RSA_WITH_AES_128_CBC_SHA256","TLS_DHE_DSS_WITH_AES_128_CBC_SHA256", >>>>>>>> "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA"," >>>>>>>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","TLS_RSA_WITH_AES_128_CBC_SHA", >>>>>>>> >>>>>>>> "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA","TLS_ECDH_RSA_WITH_AES_128_CBC_SHA"," >>>>>>>> TLS_DHE_RSA_WITH_AES_128_CBC_SHA", >>>>>>>> >>>>>>>> "TLS_DHE_DSS_WITH_AES_128_CBC_SHA","TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" >>>>>>>> >>>>>>>> ,"TLS_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256", >>>>>>>> "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"," >>>>>>>> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256","TLS_DHE_DSS_WITH_AES_128_GCM_SHA256" >>>>>>>> >>>>>>>> ,"TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA","TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA","SSL_RSA_WITH_3DES_EDE_CBC_SHA", >>>>>>>> "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA"," >>>>>>>> TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA","SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA", >>>>>>>> "SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"," >>>>>>>> TLS_EMPTY_RENEGOTIATION_INFO_SCSV"] >>>>>>>> >>>>>>>> >>>>>>> I hope the above configurations(protocolName, protocolVersions, >>>>>>> ciphers) are not mandatory fields to enable mutual SSL. Because these >>>>>>> are >>>>>>> not specific to mutual SSL. They can be configured in 1 way SSL as >>>>>>> well. So >>>>>>> how about changing the name [mtslConfig] to [SslConfig]? >>>>>>> >>>>>>> >>>>>>>> >>>>>>>> sslVerifyClient="optional" >>>>>>>> >>>>>>> >>>>>>> What do you mean by setting sslVerifyClient="optional"? Does that >>>>>>> mean that you first check if the mutual SSL has succeeded and if it >>>>>>> has succeeded you skip OAuth or JWT tokens authentication and if mutual >>>>>>> SSL >>>>>>> fails, you continue with OAuth or JWT tokens authentication as well? >>>>>>> >>>>>>> >>>>>>> >>>>>>>> >>>>>>>> Thank You >>>>>>>> >>>>>>>> -- >>>>>>>> *Chamindu Udakara * >>>>>>>> *Software engineering Intern* >>>>>>>> WSO2 (University of Moratuwa) >>>>>>>> *mobile *: *+94 755285531* | *email *: [email protected] >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> *Chamindu Udakara * >>>>>>>> *Software engineering Intern* >>>>>>>> WSO2 (University of Moratuwa) >>>>>>>> *mobile *: *+94 755285531* | *email *: [email protected] >>>>>>>> _______________________________________________ >>>>>>>> Architecture mailing list >>>>>>>> [email protected] >>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> *Bhashinee Nirmali* >>>>>>> *Software Engineer* >>>>>>> *WSO2 Lanka (Private) Limited: **http://wso2.com >>>>>>> <http://www.google.com/url?q=http%3A%2F%2Fwso2.com&sa=D&sntz=1&usg=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg>* >>>>>>> *lean.enterprise.middle-ware* >>>>>>> >>>>>>> >>>>>>> *phone: (+94) 71 21 50003* >>>>>>> <http://wso2.com/signature> >>>>>>> _______________________________________________ >>>>>>> Architecture mailing list >>>>>>> [email protected] >>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> *Chamindu Udakara * >>>>>> *Software engineering Intern* >>>>>> WSO2 (University of Moratuwa) >>>>>> *mobile *: *+94 755285531* | *email *: [email protected] >>>>>> >>>>> >>>>> >>>>> -- >>>>> *Bhashinee Nirmali* >>>>> *Software Engineer* >>>>> *WSO2 Lanka (Private) Limited: **http://wso2.com >>>>> <http://www.google.com/url?q=http%3A%2F%2Fwso2.com&sa=D&sntz=1&usg=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg>* >>>>> *lean.enterprise.middle-ware* >>>>> >>>>> >>>>> *phone: (+94) 71 21 50003* >>>>> <http://wso2.com/signature> >>>>> >>>> >>>> >>>> -- >>>> *Bhashinee Nirmali* >>>> *Software Engineer* >>>> *WSO2 Lanka (Private) Limited: **http://wso2.com >>>> <http://www.google.com/url?q=http%3A%2F%2Fwso2.com&sa=D&sntz=1&usg=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg>* >>>> *lean.enterprise.middle-ware* >>>> >>>> >>>> *phone: (+94) 71 21 50003* >>>> <http://wso2.com/signature> >>>> >>> -- >>> Chamindu Udakara >>> Software engineering Intern >>> WSO2 (University of Moratuwa) >>> mobile : +94 755285531 | email : [email protected] >>> >> >> >> -- >> *Bhashinee Nirmali* >> *Software Engineer* >> *WSO2 Lanka (Private) Limited: **http://wso2.com >> <http://www.google.com/url?q=http%3A%2F%2Fwso2.com&sa=D&sntz=1&usg=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg>* >> *lean.enterprise.middle-ware* >> >> >> *phone: (+94) 71 21 50003* >> <http://wso2.com/signature> >> > > > -- > *Chamindu Udakara * > *Software engineering Intern* > WSO2 (University of Moratuwa) > *mobile *: *+94 755285531* | *email *: [email protected] > -- *Bhashinee Nirmali* *Software Engineer* *WSO2 Lanka (Private) Limited: **http://wso2.com <http://www.google.com/url?q=http%3A%2F%2Fwso2.com&sa=D&sntz=1&usg=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg>* *lean.enterprise.middle-ware* *phone: (+94) 71 21 50003* <http://wso2.com/signature>
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
