You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
API mTLS authentication is not working when WSO2 Gateway is fronted by AWS Application Load Balancer (ALB) configured for mTLS passthrough mode. It works as expected when using another load balancer such as NGINX though.
According to AWS mTLS documentation, ALB sends the certificate header in URL-encoded PEM format. However, this encoding omits characters like +, /, and = as they are considered safe by AWS. This confuses WSO2, which expects a fully URL-encoded header , and that leads to authentication issues.
The API should be accessible and mTLS authentication should be successful.
Actual Result
WSO2 Gateway returns an error due to issues with how the certificate header is encoded by ALB :
TID: [] [] [2024-07-30 13:32:12,953] ERROR {org.wso2.carbon.apimgt.gateway.handlers.Utils} -
Error while validating into Certificate Existence org.wso2.carbon.apimgt.api.APIManagementException:
Error while converting into X509Certificate
at org.wso2.carbon.apimgt.gateway.handlers.Utils.getClientCertificateFromHeader_aroundBody34(Utils.java:491)
at org.wso2.carbon.apimgt.gateway.handlers.Utils.getClientCertificateFromHeader(Utils.java:1)
at org.wso2.carbon.apimgt.gateway.handlers.Utils.getClientCertificate_aroundBody32(Utils.java:448)
at org.wso2.carbon.apimgt.gateway.handlers.Utils.getClientCertificate(Utils.java:1)
at org.wso2.carbon.apimgt.gateway.handlers.security.authenticator.MutualSSLAuthenticator.authenticate_aroundBody4(MutualSSLAuthenticator.java:105)
at org.wso2.carbon.apimgt.gateway.handlers.security.authenticator.MutualSSLAuthenticator.authenticate(MutualSSLAuthenticator.java:1)
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.isAuthenticate_aroundBody56(APIAuthenticationHandler.java:546)
...
...
...
Caused by: java.security.cert.CertificateException: Could not parse certificate: java.io.IOException: Incomplete BER/DER data
at java.base/sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:115)
at java.base/java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:355)
at org.wso2.carbon.apimgt.gateway.handlers.Utils.getClientCertificateFromHeader_aroundBody34(Utils.java:488)
Solution
The improvement aims to enable WSO2 Gateway to correctly handle mTLS when fronted by AWS ALB. The objective is to adapt the source code to correctly process the AWS ALB-specific certificate header format by implementing additional logic to handle the URL encoding differences.
Problem
API mTLS authentication is not working when WSO2 Gateway is fronted by AWS Application Load Balancer (ALB) configured for mTLS passthrough mode. It works as expected when using another load balancer such as NGINX though.
According to AWS mTLS documentation, ALB sends the certificate header in URL-encoded PEM format. However, this encoding omits characters like +, /, and = as they are considered safe by AWS. This confuses WSO2, which expects a fully URL-encoded header , and that leads to authentication issues.
https://stackoverflow.com/questions/78766126/how-to-enable-tls-1-1-in-wso2-apim-4-2
Steps to redpoduce
1. Set Up Environment
Deploy WSO2 in an AWS environment and Use AWS ALB as the load balancer for the APIM Gateway instance.
2. Configure ALB
Set up the ALB to use mTLS in passthrough mode.
3. Configure WSO2
In the Gateway nodes, set up the required configuration for mTLS
4. Deploy API
Deploy a test API and secure it using mTLS .
5. Consume the API
Make a request to the API through the ALB using the following curl command:
curl -v https://WSO2-GW-ALB.env/my-api/1.0.0/test --key client-v3.key --cert client-v3.crtThe API should be accessible and mTLS authentication should be successful.
WSO2 Gateway returns an error due to issues with how the certificate header is encoded by ALB :
Solution
The improvement aims to enable WSO2 Gateway to correctly handle mTLS when fronted by AWS ALB. The objective is to adapt the source code to correctly process the AWS ALB-specific certificate header format by implementing additional logic to handle the URL encoding differences.
Affected Component
APIM
Version
3.x.x 4.x.x
Implementation
The certificate header is currently decoded within the getClientCertificateFromHeader method of the Utils.java class using a simple URL decode operation.
To add support for AWS ALB, the following logic needs to be incorporated:
Code implementation :
Related Issues
No response
Suggested Labels
No response
The text was updated successfully, but these errors were encountered: