I was able to configure Gravitee API Gateway, Management and UI successfully and I successfully created sample API's which were tested in postman. Now I need to enable SSL for all the three Gravitee services running on ports Management-UI - 8000, API-gateway - 8092 and Management - 8093. Can some one help me to configure wild card domain certificate for all of these services?
This is the only official documentation which i see about ssl configuration for gravitee:
https://docs.gravitee.io/am/2.x/am_installguide_configuration.html
Any help is much appreciated, I have certificates in PKCS12/PEM formats.
FYI, DNS mapping is configured for the server.
I eventually figured it out. The solution was to generate a keystore and truststore for my domain certificate and then add the certificate to gravitee.yml configuration file for both gateway and management-api. update the paths in management ui - constant.json file and restart the services.
Hope this helps some one.
Related
We have don all the steps to configure SSL to our GO application - but nothing is working. All steps followed are here:
https://cloud.google.com/load-balancing/docs/ssl-certificates/google-managed-certs
SSL certificate is created - yet domain is not configured.
I've applied my PKCS12 certificate to my gateway.
My certificate is a wildcard certificate and i'm trying to apply it
to the gateway so I don't have do this for all my micro-services.
These are the settings in my properties file for development:
server.port:8443
server.ssl.enabled=true
server.ssl.key-store=integration.domain.net.p12
server.ssl.key-store-password=*********
server.ssl.key-store-type=PKCS12
server.ssl.key-alias=integration.domain.net
The dev server starts up and SSL is enabled. When I open the connection to https://localhost:8080/ I am redirected to :8443 as I expect. However, the browser is indicating the connection is 'Not Secure'.
I can see that my certificate is being used so I'm a bit confused as to why this is not working. I'd like to know how to resolve this so that our clients see that our gateway is properly secured.
Does anybody have any ideas or suggestions?
thanks,
Nevermind. I figured this out. My certificate is obviously looking for a valid domain or subdomain that corresponds to the information contained therein. So of course, localhost is not there. I just added a dev-integration.domain.net to my /etc/hosts file for development and everything is just fine.
Sorry if I wasted anyone's time.
I found this example of setting up a service to do SSL termination on a backend service as opposed to on the ingress controller, but I don't see where to specify which certificate to use. I'd like to use a certificate I already have in my Google cloud certificate store. Where do I set that? How does this example work without a certificate?
https://github.com/kubernetes/ingress-gce/blob/master/examples/backside-https/app.yaml
More information about frontend vs backend HTTPS: https://github.com/kubernetes/ingress-gce/blob/master/README.md#frontend-https
If the backend service is using a certificate signed by a public CA, then nothing needs to be done. The GKE ingress is just like any other client to your backend- it knows about various certificate authorities and it can verify that your backend certificate was signed by one of those authorities.
If however the certificate in your certificate store is a client certificate, meaning that you want GKE to be authenticating using that certificate to your backend, not sure that is possible.
There is a way to instruct nginx to use client certificates, something along the lines of this answer, which uses self-signed certificates:
https://serverfault.com/a/717926/370529
And there is a way to provide those snippets to an nginx ingress controller. But GKE does not use nginx. I don't know of a way to do the same with the GKE ingress controller.
I'm currently working on a project that requires connecting to oracle eventhub which is a Oracle's version of kafka. The systems contacting the restproxy wouldnt accept the self signed certificate hence i'm trying to do either :
1- turn off https and allow for http connections to kafka
2- import a signed certificate i generated
unfortunately i cant locate the certificate store neither do i know how to or even if it is possible to have the rest proxy run on http
The solution was more simple than i thought, obviously Oracle Eventhub rest-proxy uses nginx for service exposure, few modifications to the configuration file and i was able to both remove https and allow for a certificate that i had issued
I have been working with web services connecting to URLs provided by different clients and so far it has all been done using one-way authentication. Now I'm asked to enable 2-way (mutual) authentication for one of the clients. I did a lot of research and reading but still confused about a lot of things.
I could test successfully on my local machine following instructions from various different articles. But the problem is now to deploy it in production.
Here's what I did for testing: I created a test Web service Host and assigned it a self-signed certificate and created a client to test this. After this I created a client certificate using makecert and verified that this is installed via MMC. I then modified my Host app to only allow clients with certificate and tested from client to see the connection refused due to not providing the client certificate. Then I modified the bindings in the client application to include the certificate name and I was able to connect to the Host successfully. So this completes local hosting.
Now the real problem. The tech team is going to create a certificate in "cert store" on the server. And I need to test again to make sure everything works as expected. We have a few different developers who all want to test on their machines on their local code. Can we all use the same certificate somehow? I don't think we would be allowed to import the certificate but what suggestions could I give them so all of us can use the same certificate?
I'm also confused about issues like difference between windows certificate and IIS certificate. What advantages would the IIS certificate provide?
Thanks for help!
Edit: Could one of the differences between installing on IIS be so that the hosted sites be accessed via SSL connection? This would mean we don't really need to install on IIS if it's just a client certificate. Is this correct?