Hi All, Thanks for Help! I could get this working by writing custom API authentication handler. However as per my understanding name "MutulaSSLAuthenticaticator" is hard coded in APIAuthenticationHandler [1] where Custom Mutual SSL authenticator is not directly pluggable unless you write custom APIAuthenticationHandler too. Something like reflection Class.forName() might work here. Also having custom APIAuthenticationHandler might not be the good idea in terms of wso2 updates as well. This may be frequently customizable point where in some cases EX: we need to extract CN value from incoming certificate. It would be really great if you can provide better extendability as per open close principle.
Further I think this is a generic requirement for any production deployment and better to provide steps in production deployment guideline. [1] https://github.com/wso2/carbon-apimgt/blob/master/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/handlers/security/APIAuthenticationHandler.java#L288 Thanks, Gayan On Thu, Sep 26, 2019 at 4:25 PM gayan gunawardana <gmgunaward...@gmail.com> wrote: > > > On Thu, Sep 26, 2019 at 3:56 PM Piraveena Paralogarajah < > pirave...@wso2.com> wrote: > >> Hi Gayan, >> >> Once the Load balancer passes the certificate in the header to the >> server, the tomcat valve will read that and set it as request attribute. >> You can find the code related to this here[1] >> >> [1] >> https://github.com/wso2-extensions/identity-x509-commons/blob/master/components/valve/src/main/java/org/wso2/carbon/extension/identity/x509Certificate/valve/X509CertificateAuthenticationValve.java#L44 >> > Thank you :) > >> >> Thanks, >> Piraveena >> *Piraveena Paralogarajah* >> Software Engineer | WSO2 Inc. >> *(m)* +94776099594 | *(e)* pirave...@wso2.com >> >> >> >> On Thu, Sep 26, 2019 at 7:44 PM gayan gunawardana < >> gmgunaward...@gmail.com> wrote: >> >>> Hi Piraveena, >>> >>> Thanks for detail response. >>> However I am referring to APIM synapse endpoints and API authentication >>> handlers. Having x509 authenticator is great, probably I will extract x509 >>> authenticator code for custom API authentication handler. >>> >>> Thanks, >>> Gayan >>> >>> On Thu, Sep 26, 2019 at 7:52 AM Piraveena Paralogarajah < >>> pirave...@wso2.com> wrote: >>> >>>> Hi Gayan, >>>> >>>> During SSL termination, the load balancer will drop the client's >>>> certificate. From the load balancer, you can send the client's >>>> certificate as HTTP header. x509 authenticator in IS already supports SSL >>>> termination. You can check the blog [1] and the doc [2] for the configs >>>> >>>> [1] >>>> https://medium.com/@piraveenaparalogarajah/configuring-x509-authenticator-in-wso2-identity-server-using-ssl-termination-with-nginx-1c21c6e5f27a >>>> [2] >>>> https://docs.wso2.com/display/ISCONNECTORS/Configuring+X509+Authenticator+with+SSL+Termination >>>> >>>> Thanks, >>>> Piraveena >>>> *Piraveena Paralogarajah* >>>> Software Engineer | WSO2 Inc. >>>> *(m)* +94776099594 | *(e)* pirave...@wso2.com >>>> >>>> >>>> >>>> On Wed, Sep 25, 2019 at 11:47 AM gayan gunawardana < >>>> gmgunaward...@gmail.com> wrote: >>>> >>>>> >>>>> >>>>> On Wed, Sep 25, 2019 at 6:49 AM Asela Pathberiya <as...@wso2.com> >>>>> wrote: >>>>> >>>>>> >>>>>> >>>>>> On Wed, Sep 25, 2019 at 10:47 AM gayan gunawardana < >>>>>> gmgunaward...@gmail.com> wrote: >>>>>> >>>>>>> Hi APIM team, >>>>>>> >>>>>>> Is there any recommended deployment pattern to implement [1] if SSL >>>>>>> termination happen from load balancer ? >>>>>>> >>>>>> >>>>>> One option is that sending the client certificate's data using HTTP >>>>>> header. Also it can be done at the SSL termination point as it has >>>>>> access >>>>>> to the client certificate. >>>>>> >>>>>> I assume that we have implemented such sample handler to GW. >>>>>> >>>>> Thanks a lot for quick reply. >>>>> I suppose sending the client certificate's data using HTTP header is >>>>> much convenient. >>>>> Having it on SSL termination point is also a good option but the >>>>> problem is when we have multiple APIs with multiple certificates how to >>>>> maintain API to certificate mapping in SSL termination point. >>>>> >>>>>> >>>>>> Thanks, >>>>>> Asela. >>>>>> >>>>>> >>>>>>> >>>>>>> [1] >>>>>>> https://docs.wso2.com/display/AM260/Securing+APIs+with+Mutual+SSL >>>>>>> >>>>>>> -- >>>>>>> Gayan >>>>>>> _______________________________________________ >>>>>>> Architecture mailing list >>>>>>> Architecture@wso2.org >>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Thanks & Regards, >>>>>> Asela >>>>>> >>>>>> Mobile : +94 777 625 933 >>>>>> >>>>>> http://soasecurity.org/ >>>>>> http://xacmlinfo.org/ >>>>>> _______________________________________________ >>>>>> Architecture mailing list >>>>>> Architecture@wso2.org >>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>> >>>>> >>>>> >>>>> -- >>>>> Gayan >>>>> _______________________________________________ >>>>> Architecture mailing list >>>>> Architecture@wso2.org >>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>> >>>> >>> >>> -- >>> Gayan >>> >> > > -- > Gayan > -- Gayan
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture