WSO2 API Manager: setting https endpoint - api

I create an API where I configure the endpoint: https://ssl.croinform.ru:450/api.test
And there is a problem with https, I am not getting a response to the request. It seems the WSO2 API Manager API gateway is not proxying requests to the endpoint.
When I make requests directly, I pre-configure the infrastructure: install the openssl counterpart, install the cacer.p7b and ssl.croinform.cer certificates. After that, I successfully receive responses from the ssl.croinform.ru:450/api.test service.
Can you tell me what I need to do to make this work in WSO2 API Manager?

Related

Call a SOAP web service with HTTPS without certificates

I want to call a third party web service from TIBCO BW6.X via SOAP over HTTPS by using basic authentication.
I can do it with SOAPUI just by adding authorization as a HTTP header with the key (like Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1) and it works fine. But using BW, I have to create an SSL resource with certifcates to use HTTPS.
My question is : Can I connect to a web service using HTTPS URL without SSL/certificates? If yes, then how? else, why can I do it with SOAPUI?
Thanks.
The answer depends on the soap client you are using. Basically you need just ignore the certificate validation as far as i interpret your question.
Example for php:
Disable certificate verification in PHP SoapClient

Does HaProxy Supports "API Gateway" Feature like NGINX

We are evaluating reverse proxies which support API Gateway feature. We tested the API Gateway feature in NGINX with a custom authentication Application. The request flow in NGINX is that when a request reaches NGINX, it forwards the request for authentication to a custom authentication application. If the auth application returns HTTP 200, NGINX forwards the request to downstream servers.
HaProxy:
For HAP proxy I am unable to figure out how to integrate the custom authentication application in HAProxy configurations.
Kindly guide me to the correct configuration/resource for me to proceed.

Is Mutual auth with aws api gateway possible?

I have an application installed in tomcat which currently I am running on http.
Also I have used AWS API gateway to expose my application .
I want to implement mutual auth between aws api gateway and my api which we have created .
Is there any document which I can refer.
Also is it possible to implement mutual authentication with AWS API gateway and my api.
This is definitely possible by installing an SSL certificate in Tomcat and using the Client Certificate feature of API Gateway. See http://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.html
The API Gateway server must use a certificate the AWS ACM issues.
The Gateway itself uses another AWS-generated certificate to authenticate with your backend.

Using HTTP with AWS API Gateway and Service Proxy

I seem to be forced in to using HTTPS with AWS API Gateway. I am only hosting non-sensitive GET requests that do not need to be https.
How do I setup HTTP GET Method?
I am using a custom domain name and pointing to DynamoDB.
According to the FAQ, this is not possible:
[A]ll of the APIs created with Amazon API Gateway expose HTTPS endpoints only. Amazon API Gateway does not support unencrypted (HTTP) endpoints.
https://aws.amazon.com/api-gateway/faqs/#general

Can WSO2 ESB play the role of an HTTP(S) proxy for mediating incoming REST API requests?

Background:
I'm trying to use WSO2 ESB within a corporate setting to provide authenticated access to underlying REST API backend providers located either within the enterprise, or on the internet.
My goal is to selectively grant access, e.g. to REST API provider P1 only to REST client C1 and to to REST API provider P2 only to REST client C2.
Using WSO2 ESB with the "<api>" as described into http://wso2.com/library/articles/2012/10/implementing-restful-services-wso2-esb/ seems to impose to redefine every resource, which can be very large and error prone for complex APIs (e.g. vmware vcloud director REST API https://www.vmware.com/support/vcd/doc/rest-api-doc-1.5-html/landing-user_operations.html)
Using the WSO2 ESB "<proxy>", as described into
https://docs.wso2.org/display/ESB481/Using+REST+with+a+Proxy+Service#UsingRESTwithaProxyService-RESTClientandRESTService ("REST Client and REST Service") imposes that the URIs exposed to HTTP clients will be modified modified w.r.t. to the original backed uri. Typical proxy URIs will be of the following form with the services prefix and a specific port http://<wso2_host>:8280/services/CustomerServiceProxy/customers/123
While having modified exposed URIs is fine when the client can be controlled (typically an in house custom REST API). It is problematic when the REST API is an industry standard and the client is an SDK, or an off-the-shelf application which is outside of the control of WSO2 users (e.g. AWS S3 API, or vmware vcloud director REST API)
In addition, some custom clients/SDKs may verify server-side SSL certificates against a public key embedded into the SDK/client.
The usual solution to preserve the HTTP REST API as-is and add some authentication on top of it is to expose the API through an HTTP proxy (possibly authenticating clients through HTTP proxy authentication), i.e. client send a CONNECT request prior to sending their original request. This preserves the full URIs and also the SSL certificates.
Question:
Is there a way to have WSO2 ESB play the role of an HTTP(S) proxy for mediating incoming REST API requests, preserving original URIs and server SSL certificates ?
I'm thinking about a new "<http-proxy>" syntax, I haven't yet spotted. I.e. it would listen to http://<wso2_host>:3128/ and respond to CONNECT requests. The mediation would then have the ability to accept or not the CONNECT depending on the CONNECT request inputs (proxy authentication, requested host), and other http transport headers). Once the CONNECT request is granted, it might even be possible to act on subsequent individual proxified requests
Best specs describing the CONNECT behavior seem https://datatracker.ietf.org/doc/html/draft-luotonen-web-proxy-tunneling-01 (1999 draft that seems adopted) and https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-p2-semantics-22#page-29 proposed standard.
For HTTPS URI, there might be limited ability within the WSO2 mediation: the HTTP request is SSL encrypted and only the domain can be known if SNI (Server Name Indication) is specified in the request. At least this would enable to grant/deny some host names to a set of clients depending on proxy authentication.
You may wish to try the <property name="preserveProcessedHeaders" value="true"/> in your <inSequence>. This property will pass all security headers through the proxy. I'm not sure about server certificates.
Here is an example of that property in use:
https://docs.wso2.org/display/ESB481/Sample+153%3A+Routing+Messages+that+Arrive+to+a+Proxy+Service+without+Processing+Security+Headers
I hope tlevel for API usehat helps. You may also want to look into the wso2 API manager, which lets you selectively grant access to APIs.