1

I am trying Mutual SSL in WSO2 APIM 4.1.0 GA Release. I have created Self signed certificate by using Java Keytool.

OS : Windows 11

Below are the commands to generate certificate:

Creating new Keystore:

keytool -genkey -keyalg RSA -alias dev.wso2.com -keystore "C:\pathtoAPIM\wso2am-4.1.0\repository\resources\security\devwso2.jks" -validity 4000

Convert to pkcs12 format:

keytool -importkeystore -srckeystore C:\pathtoAPIM\wso2am-4.1.0\repository\resources\security\devwso2.jks -destkeystore C:\pathtoAPIM\wso2am-4.1.0\repository\resources\security\devwso2.jks -deststoretype pkcs12

Export public key

keytool -exportcert -alias dev.wso2.com -rfc -file "C:\pathtoAPIM\wso2am-4.1.0\repository\resources\security\devwso2.pem" -keystore "C:\pathtoAPIM\wso2am-4.1.0\repository\resources\security\devwso2.jks"

import the public key to trust store:

keytool -import -alias dev.wso2.com -file "C:\pathtoAPIM\wso2am-4.1.0\repository\resources\security\devwso2.pem" -keystore "C:\pathtoAPIM\wso2am-4.1.0\repository\resources\security\client-truststore.jks"
  • Certificate added successfully into truststore and validated certificate from management console too.

certificate

  • Created API in Publisher portal and enabled Mutual SSL as mandatory

mutual ssl enabled

  • upload a new client certificate and marking OAuth as optional under Application level security

certificate added

  • API is published into devportal.

Invoke an API secured with Mutual SSL using Postman

  • Added the certificate and private key in Certificate tab of Postman settings. Host: dev.wso2.com CRT file: dev.wso2.crt KEY file: devwso2.pem Passphrase: keystorepwd

  • In General tab, SSL Certificate Verification is OFF

API Hit in postman:

api hit

  • As you could see above screenshot, ERROR something like Error: error:0900006e:PEM routines:OPENSSL_internal:NO_START_LINE received in postman.

CURL:

curl -vk  GET "https://dev.wso2.com:8243/mutualsslapi/1.0.0" -H "accept: applicaition/json"  --cert "C:\Development_Avecto\Learning\File\dev.wso2.crt" --key "C:\Development_Avecto\Learning\File\devwso2.pem"

after executing above curl in cmd, getting below ERROR

    * Could not resolve host: GET
* Closing connection 0
curl: (6) Could not resolve host: GET
*   Trying 127.0.0.1:8243...
* Connected to dev.wso2.com (127.0.0.1) port 8243 (#1)
* schannel: disabled automatic use of client certificate
* schannel: Failed to import cert file C:\Development_Avecto\Learning\File\dev.wso2.crt, last error is 0x80092002
* Closing connection 1
curl: (58) schannel: Failed to import cert file C:\Development_Avecto\Learning\File\dev.wso2.crt, last error is 0x80092002

May I know why this Mutual SSL protected API call is not happening? How can we fix this?

Reference Link 1

Reference link 2

Justin
  • 855
  • 2
  • 11
  • 30
  • Try the same with curl and see what error you receive. – ycr Feb 22 '23 at 23:54
  • @ycr Added Curl request and the ERROR what i got after executing curl command executed in cmd. please have a look on edited question – Justin Feb 23 '23 at 05:13

3 Answers3

1

Seems like an issue with the certificates that you are using.

Try with the following commands to generate private key and public certificate out of it.

Generated a Key

openssl genrsa -out self.key 2048

Generated the certificate

openssl req -key self.key -new -x509 -days 365 -out self.crt

Then test an API configured as below. Note that certificate has been added to the API under Transport level security. enter image description here

Then use the key and certificate in the postman as below.

enter image description here

You will be able to invoke the API. Test whether similar configuration like this works for Mutual SSL.

nuwan karunarathna
  • 81
  • 4
  • Hi @nuwan karunarathna, Thanks for the response.openssl is not installed , so i tried via java keytool. can't we achieve the same usecase via Java keytool? Isn't that right way? we should generate certificate via openssl only? – Justin Feb 23 '23 at 08:51
  • Hi @nuwan karunarathna, Created .crt,.key file using open ssl command(openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout "C:\path_to_wso2apim_security_folder\privatekey.key" -out "C:\path_to_wso2apim_security_folder\certificate.crt") and attached the same in API and postman as you shown above. Initially got ERROR like sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target" in log file. Note: after server restart, this starts working fine now – Justin Mar 01 '23 at 16:23
0

This seems like a postman specific issue. Can you check the options mentioned here[1] to solve the issue? Or can be due to some structure issue in the crt file.

[1] https://community.postman.com/t/error-errorpem-routinesno-start-line/32031

chashikajw
  • 592
  • 5
  • 18
0

As suggested by @nuwan karunarathna,

  • I have installed openssl in windows machine.

  • Created certificate and privatekey using openssl command mentioned here

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout "C:\path_to_wso2apim_security_folder\privatekey.key" -out "C:\path_to_wso2apim_security_folder\certificate.crt"

  • Enabled mutual ssl in Publisher portal and Attached certificate in API level

  • Added certificate, Host and private key in postman setting (certificate tab)

  • Restarted WSO2 APIm Server and API Hits are happening now.

API Hit

Justin
  • 855
  • 2
  • 11
  • 30