I would like to make my Bluemix application(Liberty) to access remote REST API which is provided in SSL. I need to use the gateway's "TLS Mutual Auth option". But now for a purpose to figure out whether I must use "HTTPS option" or not when a remote REST API is provided in SSL, I tested two case, HTTPS and TLS Server Auth. HTTPS case resulted in success and TLS Server Auth resulted in failure.
Is HTTPS option required when a remote REST API is HTTPS in order to rewrite the HTTP header at SecureGatewayClient ? Can't we protect the gateway with TLS Mutual Auth if this is collect ?
1. HTTPS option: success
This case resulted in success.
2. TLS Server Auth option: failure
This case resulted in failure.
I just chaged the gateway's option from "HTTPS" to "TLS Server Auth", so the cause is not a mis-configuration.
[Bluemix Liberty application's log]2015-07-01T04:17:58.64+0900 [RTR] OUT sampleapp.mybluemix.net[30/06/2015:19:17:49 +0000] "GET /XXX HTTP/1.1" 200
2015-07-01T04:17:58.66+0900 [App/0] OUT res:404 Not Found: Requested route ('cloudhost:cloudport') does not exist.
[SG Client's log]
[2015-06-30 02:37:38.144] [INFO] Connection #32 is being established to remote REST API's host:443
[2015-06-30 02:37:38.227] [INFO] Connection #32 established to remote REST API's host:443
[2015-06-30 02:37:52.535] [INFO] Connection #32 to remote REST API's host:443 was closed
In response to this part of your post:
Is the HTTPS option required when a remote REST API is HTTPS in order to rewrite the HTTP header at SecureGatewayClient ?
Yes, HTTPS is required if connecting to a https remote rest api. Additionally, if you're connecting to a backend HTTPS server, you will need to enable client-side TLS.
The link below provides more info regarding securing a gateway in the Bluemix UI:
https://www.ng.bluemix.net/docs/services/SecureGateway/sg_022.html#sg_009
In response to this part of your post:
Can't we protect the gateway with TLS Mutual Auth?
Yes, you can use TLS:Mutual Auth, but you would also need to upload your own certificate or select auto-generate to automatically create a self-signed certificate/key pair that you can download along with the server certificate.
To use the certificates generated by selecting TLS:Mutual Auth, you will also need to configure your application-side TLS connection, and potentially your client-side TLS connection. Enabling TLS security between the client and your REST API is separate to application-side TLS. Application-side TLS secures access between your sample app and the secure gateway client defined. You can use client-side TLS connectivity independent of application-side TLS, vice versa, or together to provide complete security from your sample app to your REST API.
For more information regarding accessing the secure gateway, please see the link below:
https://www.ng.bluemix.net/docs/services/SecureGateway/sg_023.html
Related
I cannot for the life of me get the AWS API Gateway HTTP Proxy to work, i.e. redirect http://<my-domain>.com to https://<my-domain>.com. Here is how I set it up:
Using the Test functionality on the ANY method inside the resource works. But if I simply do curl http://<my-domain>.com or run http://<my-domain>.com in Chrome, it fails to connect; https://<my-website>.com works just fine. I'm driving myself crazy trying to figure out what I'm missing here; it seems like it should just redirect http://<my-domain>.com to https://<my-domain>.com, but it doesn't (even on different devices).
So, it turns out that API Gateway's HTTP Proxy allows HTTPS traffic to go to an HTTP endpoint, but not the reverse. In fact, API Gateway won't even establish a connection on port 80; from the FAQ:
Q: Can I create HTTPS endpoints?
Yes, all of the APIs created with Amazon API Gateway expose HTTPS
endpoints only. Amazon API Gateway does not support unencrypted (HTTP)
endpoints.
API Gateway doesn't support unencrypted HTTP traffic. Here are the possible options you can do to secure your website:
If you have access to the server that hosts the website, install an SSL certificate to the webserver.
If the website is hosted on EC2, you can set up a load balancer and let it do the SSL termination.
I'm trying to explore a REST API using ZAP and Postman but I get an error probably because I didn't set up something right.
Should I add the SA certificate from ZAP to Postman?
Could not get any response
There was an error connecting to http://myurl.
Why this might have happened:
The server couldn't send a response:
Ensure that the backend is working properly
Self-signed SSL certificates are being blocked:
Fix this by turning off 'SSL certificate verification' in Settings > General
Proxy configured incorrectly
Ensure that proxy is configured correctly in Settings > Proxy
Request timeout:
Change request timeout in Settings > General
I Have a Spray Scala project. I am doing HTTPS connection with Self Signed Certificate (.jks) to this project through REST call. I referred this link Configuration issue for Spray https server with self-signed certificate? to configure spray to https server. so when i run my project it reads .jks certificates but when i fire request it gives following error :
Aborting encrypted connection to /192.168.1.3:46346 due to [SSLException:Unrecognized SSL message, plaintext connection?]
I found the answer. so when i configured spray to HTTPS it cant accept the HTTP requests it accepts only HTTPS requests.
I am trying to access a secured WAS URL via the Secure Gateway. I can access an unsecured page via HTTP. When I set the Secure Gateway Destination to HTTPS and try to access the secured page (requires a userid/password), the connection fails.
Last year I was told that HTTPS was not supported. However, I think that I just don't know how to configure the Secure Gateway to do it now.
In order for HTTPS to be in use on both sides of the connection (app to Secure Gateway Server, and Secure Gateway Client to on-premises resource), the protocol should be HTTPS (which it sounds like you have) and you should also enable Destination-side TLS under the Advanced options panel of the destination. This will cause the connection being made from the Secure Gateway Client to the on-premises resource to be HTTPS rather than HTTP.
I have some APIs on my laptop. They are visible on the internet through secure gateway service.
The secure gateway destination is configured with TLS mutual authentication option. So APIs require TLS mutual authentication.
I would like to add those APIs to API Management.
I could not bind a SSL profile on Proxy tab, but I could bind a SSL profile to an HTTP GET operation on Implementation tab.
Does this mean I have to implement an assembly operation to bind a SSL profile?
The "Proxy" tab is meant as a "simple" get you going proxy setup. For more advanced "proxies", you should use an "Assembly" implementation with a "Proxy" policy. On the settings for the Proxy policy you can specify an SSL profile.