FAQs for configuring mTLS in TIBCO Cloud API Management-Local Edition
Article ID: KB0071900
Updated On:
| Products | Versions |
|---|---|
| TIBCO Cloud API Management - Local Edition | 5.x |
Description
A typical message flow in TIBCO Cloud API Management-Local Edition(CAPIM-LE, formerly Mashery Local) is:
Clients ---HTTPS--- CAPIM-LE(TM) ---HTTPS--- Backend
Issue/Introduction
This article provides inputs for the frequently answered questions when configuring mutual-ssl in CAPIM-LE
Environment
All Support Platforms
Resolution
Now mutualSSL can be configured for connections into TM or for connections out-of TM.
##Into TM##
5.4.0 onwards TM can be configured with two ports:
- 443 for 1waySSL or non-mutualSSL
- 1443 for 2waySSL or mutualSSL/mTLS
for mTLS
- TM's identity is configured in tml-tm.jks keystore
- TM's truststore is configured in tml-tm-trust.jks keystore
You can refer to this article for this:
https://support.tibco.com/s/article/How-to-update-change-certificate-for-TM-Service-for-inbound-HTTPS-Calls
Note:
This property is not available as mentioned in the article:
"need_client_auth": true
Instead you will see the below in the manifest file:
"tml_tm_mhttps_enabled": "false",
some FAQs:
Q1) Can customer configure mtls for an endpoint so that only consumers that have a particular certificate can call the specific endpoint?
A1) One can enable the option "Require Mutual TLS (mTLS)" when configuring the endpoint. This would enforce mutualSSl for all clients, calling that endpoint.
Q2) Can they upload with "upload_ssl_server_truststore_for_traffic_manager" job only the RootCA that has signed all the Client certificates ?
A2) Technically it should work. But uploading the entire chain is recommended, as usually there are more than 2 certificates in the chain, and if an intermediate cert is missing, there could be issues with the handshake.
Q3) What if they have endpoints either with SSL and Mutual SSL? How this is going to work on k8s platform? Do they need to configure two LB routes?
A3) CAPIM-LE provides two separate ports for inbound-HTTPS traffic. By default 443 enforces 1-way SSL and 1443 enforces 2-waySSL or mutual-SSL/mTLS.
##out-of TM, between TM & Backend##
The relevant documentation is here:
Here are the steps for a quick reference
- create an identity for TM to use as client certificate:
clustermanager create identity --file <.p12> --password <p12_password>
- create certificates with the public certifcate chain from the backend(sometimes not necessary if the backend is using a PublicCA)
clustermanager create certificate --file <X509/pem/cer_file>
- Create a HTTPSClientProfile referring to the above Identity and Trusted certificate(s)
- Configure the Endpoint to use the above HTTPSClientProfile
#ssl debug
This chapter has the steps to enable ssl debug logging on the TM:
Please note the javaproxy-runtime.log will be available in "/var/log/mashery" folder.
Feedback
Yes
No
Powered by
