webMethods.io API Gateway certificate based mutual authentication

Introduction

This article explains how requests can be authenticated using certificates while invoking the native request.

Audience

It is assumed that readers of this article know how to set up API and configure policies on the API gateway.

Pre-requisite

• Access to webMethods.io Integration and webMethods.io API Gateway

• Flow service exposed as API on webMethods.io integration.

• Generate the certificates on webMethods.io integration.

• Refer below link to create the flow service on webMethods.io integration.
FlowServices - webMethods.io Integration

• Refer below link to generate\configure the certificates on webMethods.io Integration
Two-Way SSL - webMethods.io Integration

• Refer below link to create the API on API Gateway
Create your first Rest API - webMethods.io API Gateway

Usecase

• In our case we have created a flow service on webMethods.io Integration
• This flow service is exposed as API on webMethods.io integration
• This flowservice endpoints are exposed and secured by the certificates.
• To invoke this API, we need to pass the certificates for authentication.
• In our case we are going to configure the native API endpoints on API Gateway.
• When the request is sent from API Gateway to the native endpoints then the certificates will be sent along with the request.
• These certificates will be configured on API Gateway.

image936×324 78 KB

What is Mutual Authentication

• Mutual Authentication, also commonly referred to as Two-Way Authentication or Two-Way SSL.
• It refers to the combination of both Server and Client Authentication.
• In this mechanism the server is authenticating itself to the client, and the client is authenticating itself to the server in order to establish a secure encrypted channel between them

image772×581 122 KB

Implementation

Implementation done on webMethods.io Integration
• Created a flow service.
• Enabled the http endpoints on flow service.

image985×501 61.2 KB

• Generated the certificates from the platform in *.jks format.

image945×488 70.3 KB

Implementation done on webMethods.io API Gateway

• Create a custom keystore.
• Navigate to Administration an click on Security tab

image866×565 89.4 KB

• Created the alias for keystore

image985×304 51.5 KB

• Configure the API with policies.
• In our case we have created the API named “SumAPI”
• Configuration of traffic monitoring policy for logging the request and response.

image985×431 102 KB

• Configuration of routing policy with custom keystore and alias.

image985×386 89.3 KB

Testing using postman client

Failure scenario: When custom keystore is not configured on the routing policy of API GW

image986×385 54.4 KB

image986×637 89 KB

Successful scenario: When custom keystore is configured on the routing policy of API GW

image985×399 69.4 KB

image846×462 52.7 KB