Hi Gayan, Once the Load balancer passes the certificate in the header to the server, the tomcat valve will read that and set it as request attribute. You can find the code related to this here[1]
[1] https://github.com/wso2-extensions/identity-x509-commons/blob/master/components/valve/src/main/java/org/wso2/carbon/extension/identity/x509Certificate/valve/X509CertificateAuthenticationValve.java#L44 Thanks, Piraveena *Piraveena Paralogarajah* Software Engineer | WSO2 Inc. *(m)* +94776099594 | *(e)* pirave...@wso2.com On Thu, Sep 26, 2019 at 7:44 PM gayan gunawardana <gmgunaward...@gmail.com> wrote: > Hi Piraveena, > > Thanks for detail response. > However I am referring to APIM synapse endpoints and API authentication > handlers. Having x509 authenticator is great, probably I will extract x509 > authenticator code for custom API authentication handler. > > Thanks, > Gayan > > On Thu, Sep 26, 2019 at 7:52 AM Piraveena Paralogarajah < > pirave...@wso2.com> wrote: > >> Hi Gayan, >> >> During SSL termination, the load balancer will drop the client's >> certificate. From the load balancer, you can send the client's >> certificate as HTTP header. x509 authenticator in IS already supports SSL >> termination. You can check the blog [1] and the doc [2] for the configs >> >> [1] >> https://medium.com/@piraveenaparalogarajah/configuring-x509-authenticator-in-wso2-identity-server-using-ssl-termination-with-nginx-1c21c6e5f27a >> [2] >> https://docs.wso2.com/display/ISCONNECTORS/Configuring+X509+Authenticator+with+SSL+Termination >> >> Thanks, >> Piraveena >> *Piraveena Paralogarajah* >> Software Engineer | WSO2 Inc. >> *(m)* +94776099594 | *(e)* pirave...@wso2.com >> >> >> >> On Wed, Sep 25, 2019 at 11:47 AM gayan gunawardana < >> gmgunaward...@gmail.com> wrote: >> >>> >>> >>> On Wed, Sep 25, 2019 at 6:49 AM Asela Pathberiya <as...@wso2.com> wrote: >>> >>>> >>>> >>>> On Wed, Sep 25, 2019 at 10:47 AM gayan gunawardana < >>>> gmgunaward...@gmail.com> wrote: >>>> >>>>> Hi APIM team, >>>>> >>>>> Is there any recommended deployment pattern to implement [1] if SSL >>>>> termination happen from load balancer ? >>>>> >>>> >>>> One option is that sending the client certificate's data using HTTP >>>> header. Also it can be done at the SSL termination point as it has access >>>> to the client certificate. >>>> >>>> I assume that we have implemented such sample handler to GW. >>>> >>> Thanks a lot for quick reply. >>> I suppose sending the client certificate's data using HTTP header is >>> much convenient. >>> Having it on SSL termination point is also a good option but the problem >>> is when we have multiple APIs with multiple certificates how to maintain >>> API to certificate mapping in SSL termination point. >>> >>>> >>>> Thanks, >>>> Asela. >>>> >>>> >>>>> >>>>> [1] https://docs.wso2.com/display/AM260/Securing+APIs+with+Mutual+SSL >>>>> >>>>> -- >>>>> Gayan >>>>> _______________________________________________ >>>>> Architecture mailing list >>>>> Architecture@wso2.org >>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>> >>>> >>>> >>>> -- >>>> Thanks & Regards, >>>> Asela >>>> >>>> Mobile : +94 777 625 933 >>>> >>>> http://soasecurity.org/ >>>> http://xacmlinfo.org/ >>>> _______________________________________________ >>>> Architecture mailing list >>>> Architecture@wso2.org >>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>> >>> >>> >>> -- >>> Gayan >>> _______________________________________________ >>> Architecture mailing list >>> Architecture@wso2.org >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >> > > -- > Gayan >
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
