Reputation: 233
Is HTTPS option required when a remote REST API is HTTPS?
I would like to make my Bluemix application(Liberty) to access remote REST API which is provided in SSL. I need to use the gateway's "TLS Mutual Auth option". But now for a purpose to figure out whether I must use "HTTPS option" or not when a remote REST API is provided in SSL, I tested two case, HTTPS and TLS Server Auth. HTTPS case resulted in success and TLS Server Auth resulted in failure.
Is HTTPS option required when a remote REST API is HTTPS in order to rewrite the HTTP header at SecureGatewayClient ? Can't we protect the gateway with TLS Mutual Auth if this is collect ?
1. HTTPS option: success
This case resulted in success.
2. TLS Server Auth option: failure
This case resulted in failure.
I just chaged the gateway's option from "HTTPS" to "TLS Server Auth", so the cause is not a mis-configuration.
[Bluemix Liberty application's log]
2015-07-01T04:17:58.64+0900 [RTR] OUT sampleapp.mybluemix.net
[30/06/2015:19:17:49 +0000] "GET /XXX HTTP/1.1" 200
2015-07-01T04:17:58.66+0900 [App/0] OUT res:404 Not Found: Requested route ('cloudhost:cloudport') does not exist.[SG Client's log]
[2015-06-30 02:37:38.144] [INFO] Connection #32 is being established to remote REST API's host:443 [2015-06-30 02:37:38.227] [INFO] Connection #32 established to remote REST API's host:443 [2015-06-30 02:37:52.535] [INFO] Connection #32 to remote REST API's host:443 was closed
Upvotes: 3
Views: 1182
Answers (1)
Reputation: 1441
In response to this part of your post:
Is the HTTPS option required when a remote REST API is HTTPS in order to rewrite the HTTP header at SecureGatewayClient ?
Yes, HTTPS is required if connecting to a https remote rest api. Additionally, if you're connecting to a backend HTTPS server, you will need to enable client-side TLS.
The link below provides more info regarding securing a gateway in the Bluemix UI:
https://www.ng.bluemix.net/docs/services/SecureGateway/sg_022.html#sg_009
In response to this part of your post:
Can't we protect the gateway with TLS Mutual Auth?
Yes, you can use TLS:Mutual Auth, but you would also need to upload your own certificate or select auto-generate to automatically create a self-signed certificate/key pair that you can download along with the server certificate.
To use the certificates generated by selecting TLS:Mutual Auth, you will also need to configure your application-side TLS connection, and potentially your client-side TLS connection. Enabling TLS security between the client and your REST API is separate to application-side TLS. Application-side TLS secures access between your sample app and the secure gateway client defined. You can use client-side TLS connectivity independent of application-side TLS, vice versa, or together to provide complete security from your sample app to your REST API.
For more information regarding accessing the secure gateway, please see the link below:
https://www.ng.bluemix.net/docs/services/SecureGateway/sg_023.html
Upvotes: 1
Related Questions
- SSL config for outbound connections doesn't work in websphere-liberty 17.0.0.2
- Add certificate to truststore to enable SSL communication
- How to make "HTTPS redirect" work on WebSphere Application Server Liberty Profile?
- IBM Liberty SSL HANDSHAKE FAILURE
- Is the HTTPS required between API Gateway and Elastic Beanstalk?
- HttpsUrlConnection using KeyStore instead of TrustStore with WebSphere Liberty Profile
- websphere liberty - Force https for site without user authentication
- Invoking Secure RESTful Web Service over HTTPS When client is in bluemix
- Do I need to bind the secure gateway service to my app?
- Outbound SSL connection in WLP