stackoom
  简体   繁体   中英

wso2 api manager secure public API

 原文  2017-11-13 12:10:01       oauth-2.0/ wso2/ authorization/ wso2-am/ api-design

Question

I have designed a public REST API with JSON which is used primarily from native mobile applications. The application which should subscribe to this API does not have any username/password login mechanism as it should be public.

The API is designed using WSO2 API Manager in version 2.1.0 and application should establish TLSv1.2 trusted connection in order to consume services.

The API on the backend side is subscribing to internal REST API which has mutual TLS authentication.

Currently the OAuth2 is disabled for the API and I am thinking how to use it in order to get a higher assurance and identification of the end point who is trying to use the API.

The only OAuth2 Grant Type that I can use in this case is Client Credential from my point of view, where the application can get its consumer key and consumer secret to be able to request access tokens. But it can be obtained from application source code or configuration.

As there is no username/password mechanism Implicit Grant Type can't be used.

How to use API Manager in this case?

1 answers

solution1
 0  2017-11-13 12:46:09

For mutual ssl you can refer following blog post.

http://ishara-cooray.blogspot.com/2016/07/how-to-secure-your-backend-services-and.html

Here is the important part from the blog post.

Configure API Manager to enable dynamic ssl profiles

To configure APIM for Dynamic SSL Profiles for HHTPS transport Sender, you need to create a new XML file /repository/deployment/server/multi_ssl_profiles.xml (this path is configurable) and copy the below configuration into it.This will configure client-truststore.jks as Trust Store for all connections to 10.100.5.130:9443 

 <parameter name="customSSLProfiles"> <profile> <servers>10.100.5.130:9443</servers> <TrustStore> <Location>repository/resources/security/client-truststore.jks </Location> <Type>JKS</Type> <Password>wso2carbon</Password> </TrustStore> </profile> </parameter>

To enable dynamic loading of this configuration, add below configurations to the Transport Sender configuration (PassThroughHttpSSLSender) of API Manager ({AM_HOME}/repository/conf/axis2.xml). Set above file's path as “filePath” parameter. 

 <parameter name="dynamicSSLProfilesConfig"> <filePath>repository/deployment/server/multi_ssl_profiles.xml</filePath> <fileReadInterval>3600000</fileReadInterval> </parameter> <parameter name="HostnameVerifier">AllowAll</parameter>

Now both back end service and ESB is configured to use default key stores and API Manager is configured to load dynamic SSL profiles. Restart API Manager. It will show below message in the console confirming that dynamic configurations loaded.

ClientConnFactoryBuilder customSSLProfiles configuration is loaded from path:

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question WSO2 api manager with keycloak auth server WSO2 Api Manager OAuth2 DCR security in public native mobile app WSO2 API Manager - Authenticate user from API client WSO2 API Manager and WSO2 key manager: user roles are not validated wso2 api manager revoke tokens for specific user or application WSO2 API Manager Client Credentials renew token oAuth2 - WSO2 API Manager and Identity Server Integration Integrating WSO2 API Manager 2.1.0 with Azure AD wso2 api manager one consumer many clients WSO2 API Manager OAuth2TokenValidationService throws null pointer exception
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM