In this blog, I will walk you through the steps of setting up Two-Way SSL authentication for a connector instance. Not sure what 2-way ssl is? If your API says you need to send a signed certificate for each request, there is a chance this article will help.
In this post, we will demonstrate the following capabilities of Integration Builder:
- Creating connectors from Internal APIs specifications.
- Setting up SSL
- Creating JKS formatted certificate using the command line.
- Creating Connector instance with Two-Way SSL Authentication.
You’ll need the following for this tutorial:
- Axway AMPLIFY account (Register for free)
- Specifications for Internal API
- URL for Internal APIs and Internal APIs either be accessible from the internet or use something like ngrok to open up internal services
- Client Certificate (p12 or pem), key used to sign client certificate (.key), Certificate Authority cert used to generate client certificate (pem)
Overview of Steps
- Create Connectors from your Internal API specifications.
- Set authentication to SSL under Connector Setup.
- Generate JKS formatted client certificate.
- Configure your connector instance with Two-way SSL.
- Test Connector instance using Try/Out in API Docs.
- Follow the Create an Integration Builder Connector blog to create connectors using Internal API specifications.
Setup SSL based Authentication
Go to Connectors > Private tab and hover over the Connector created in the previous step and click on Overview.
Click on Setup tab.
A screen like the one below will be shown. You will see the Authentication is set to custom.
Click on Add Configuration button on the right-hand side and select SSL. You will notice that two new required fields “Base64 Encoded JKS” and “JKS Password” gets added. (See screenshot below.)
We are done creating the Connector. Next step is to create a Connector Instance, but before we can create an instance, we need to make some preparations.
Creating a JKS formatted Certificate
As you may have seen in the last section, when we setup an SSL authentication platform, it requires certificates to be passed in the Java key store format. In this section, we will see how we can create JKS from your pem client certificates.
In order to create JKS, first, we will convert pem file to p12 (PKCS12) format.
To convert, you can use the following command. If you have any other means of converting pem to the p12 format or eventually jks format then please follow that. In these steps, I am using openssl and keytool utilities.
openssl pkcs12 -export -in ClientCert_pem_signedByCA.pem -inkey ClientCert_signedByCA.key -password pass:xxxx -chain -CAfile CA.pem -out client.p12 -name "Client Certificate"
Please replace names with your file names.
ClientCert_pem_signedByCA.pem is my client certificate signed by a CA certificate.
ClientCert_signedByCA.key is a key used to sign my Client certificates.
Set a password and please make a note of this password as you will need it while creating jks.
CA.pem is Certificate Authority cert used to generate a client certificate.
Once you successfully run the above command, you will have the client.p12 file generated from your pem file. Next you will create jks. For that, run below command.
keytool -importkeystore -srckeystore client.p12 -srcstoretype PKCS12 -destkeystore myJKSCert.jks
Make sure you replace file names with your relevant file names. The above command will convert client.p12 cert to myJKSCert.jks Java KeyStore formatted certificate. Above command would ask you to create JKS password, please set it and make a note of it as you would require this for instance creation.
Last step is now to create this JKS certs to base64 encoded string which is required for creation of instance.
Run the following command
base64 -i myJKSCert.jks
Copy the output of this command to an editor of your choice.
Creating a connector instance
Go to Connectors > Private tab and hover over the Connector created in previous step and click on Authenticate.
Provide the Name of your choice.
In Base64 Encoded JKS provide the base64 string generated in the previous section.
In JKS Password provide the password you had setup while creating JKS.
Click on Create Instance Button. The screen like below will show up.
That’s it! Your connector instance with Two-Way SSL authentication is created and ready to be tested. When you are at the above screen, you can now do whatever you want to do. To test it quickly, click on Test in the API docs. Test your API – they should be working without any issue.
This brings me to the end of my post. We saw how quickly and easily – in just a few minutes – you were able to setup a connector instance with Two-way SSL authentication. I hope this blog helps you get started on solving some use cases. Please don’t hesitate to comment or reach out in case you have any questions.
Learn how to set up API Gateway with AMPLIFY Central