webMethods.io API Gateway certificate based mutual authentication

Introduction

This article explains how requests can be authenticated using certificates while invoking the native request.

Audience

It is assumed that readers of this article know how to set up API and configure policies on the API gateway.

Pre-requisite

• Access to webMethods.io Integration and webMethods.io API Gateway

• Flow service exposed as API on webMethods.io integration.

• Generate the certificates on webMethods.io integration.

• Refer below link to create the flow service on webMethods.io integration.
FlowServices - webMethods.io Integration

• Refer below link to generate\configure the certificates on webMethods.io Integration
Two-Way SSL - webMethods.io Integration

• Refer below link to create the API on API Gateway
Create your first Rest API - webMethods.io API Gateway

Usecase

• In our case we have created a flow service on webMethods.io Integration
• This flow service is exposed as API on webMethods.io integration
• This flowservice endpoints are exposed and secured by the certificates.
• To invoke this API, we need to pass the certificates for authentication.
• In our case we are going to configure the native API endpoints on API Gateway.
• When the request is sent from API Gateway to the native endpoints then the certificates will be sent along with the request.
• These certificates will be configured on API Gateway.

What is Mutual Authentication

• Mutual Authentication, also commonly referred to as Two-Way Authentication or Two-Way SSL.
• It refers to the combination of both Server and Client Authentication.
• In this mechanism the server is authenticating itself to the client, and the client is authenticating itself to the server in order to establish a secure encrypted channel between them

Implementation

Implementation done on webMethods.io Integration
• Created a flow service.
• Enabled the http endpoints on flow service.

• Generated the certificates from the platform in *.jks format.

Implementation done on webMethods.io API Gateway

  • Create a custom keystore.
  • Navigate to Administration an click on Security tab

• Created the alias for keystore

• Configure the API with policies.
• In our case we have created the API named “SumAPI”
• Configuration of traffic monitoring policy for logging the request and response.

• Configuration of routing policy with custom keystore and alias.

Testing using postman client

Failure scenario: When custom keystore is not configured on the routing policy of API GW

Successful scenario: When custom keystore is configured on the routing policy of API GW

2 Likes