APIM 2.6.0 SSL certificate installation for APIs through Rest APIs of APIM 2.6.0

Question

I am using WSO2APIM 2.6.0 with default configuration of databases which it is using as H2 and other settings. I have been a user of APIM 2.5.0 and things are working fine there.

But, we had some requirement to install the SSL certificate of backend server of the APIs which I create in APIM 2.5.0

On reading documentation [https://docs.wso2.com/display/AM260/Dynamic+SSL+Certificate+Installation] and [https://docs.wso2.com/display/AM260/RESTful+APIs] I understand that 2.6.0 has the feasibility to add a new SSL certificate in APIM client trustore using restAPI.

I have tested this and it seems to be working fine (adding certificate using rest api).Once you add the certificate, it seems that it has to be loaded in the gateway nodes which happens every 10 mins (by default and then it can be changed based on the requirement from axis2.xml file)

But, even after adding the certificate in client-truststore, when I click the endpoint TEST button in API Publisher it says 'Invalid Endpoint.'. The certificate does not seem to get loaded even though there are logs like below

            TID: [-1234] [] [2019-09-18 14:44:51,302]  INFO {org.wso2.carbon.apimgt.impl.certificatemgt.CertificateManagerImpl} -  Certificate is successfully added to the Publisher client Trust Store with Alias 'devcertificate' {org.wso2.carbon.apimgt.impl.certificatemgt.CertificateManagerImpl}
            TID: [-1234] [] [2019-09-18 14:44:51,341]  INFO {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil} -  '[email protected] [-1234]' logged in at [2019-09-18 14:44:51,341+0000] {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil}
            TID: [-1234] [] [2019-09-18 14:44:51,365]  INFO {org.wso2.carbon.apimgt.impl.certificatemgt.CertificateManagerImpl} -  The Alias 'devcertificate' exists in the Gateway Trust Store. {org.wso2.carbon.apimgt.impl.certificatemgt.CertificateManagerImpl}
            TID: [-1234] [] [2019-09-18 14:44:51,365]  INFO {org.wso2.carbon.apimgt.impl.certificatemgt.CertificateManagerImpl} -  The Transport Sender will be re-initialized in few minutes. {org.wso2.carbon.apimgt.impl.certificatemgt.CertificateManagerImpl}
            TID: [-1234] [] [2019-09-18 14:44:51,365]  INFO {org.wso2.carbon.apimgt.impl.certificatemgt.CertificateManagerImpl} -  The certificate with Alias 'devcertificate' is successfully added to the Gateway Trust Store. {org.wso2.carbon.apimgt.impl.certificatemgt.CertificateManagerImpl}
            TID: [-1] [] [2019-09-18 14:49:12,582]  INFO {org.wso2.andes.kernel.disruptor.inbound.InboundDBSyncRequestEvent} -  Running DB sync task. {org.wso2.andes.kernel.disruptor.inbound.InboundDBSyncRequestEvent}


            TID: [-1] [] [2019-09-18 14:53:28,348]  INFO {org.apache.synapse.transport.passthru.PassThroughHttpSSLSender} -  PassThroughHttpSender reloading SSL Config.. {org.apache.synapse.transport.passthru.PassThroughHttpSSLSender}
            TID: [-1] [] [2019-09-18 14:53:28,352]  INFO {org.apache.synapse.transport.nhttp.config.ClientConnFactoryBuilder} -  customSSLProfiles configuration is loaded from path: /opt/new/test/apim/fresh/usr/lib/wso2/wso2am/2.6.0/repository/resources/security/sslprofiles.xml {org.apache.synapse.transport.nhttp.config.ClientConnFactoryBuilder}
            TID: [-1] [] [2019-09-18 14:53:28,352]  INFO {org.apache.synapse.transport.nhttp.config.ClientConnFactoryBuilder} -  HTTPS Loading custom SSL profiles for the HTTPS sender {org.apache.synapse.transport.nhttp.config.ClientConnFactoryBuilder}
            TID: [-1] [] [2019-09-18 14:53:28,358]  INFO {org.apache.synapse.transport.nhttp.config.ClientConnFactoryBuilder} -  HTTPS Custom SSL profiles initialized for 1 servers {org.apache.synapse.transport.nhttp.config.ClientConnFactoryBuilder}
            TID: [-1] [] [2019-09-18 14:53:28,358]  INFO {org.apache.synapse.transport.passthru.PassThroughHttpSSLSender} -  Pass-through HTTPS Sender updated with Dynamic Configuration Updates ... {org.apache.synapse.transport.passthru.PassThroughHttpSSLSender}

So, my question here is, do we have to restart the server to reflect the certificate which are added in the client truststore to work fine. Or as per the documentation after 10mins once the certificate is loaded in the gateway node, without restarting the server the certificate gets reflected and communication with backend server can be done? am I missing anything here.

Can someone please help me with this.

Thanks

It does not need to restart the server to load the certificate. Once the certificate is added to the trust store, it will automatically load after the configured time. Did you observe any issue while using this? — menaka_
Yes, It didnot get reflected. I tried adding the certificate in client truststore but it did not reflect as when I tried to hit the url I still got SSL peer unauthentication error. Then I restarted and it got working. Just to update that I am using APIM 2.6.0 version without WUM — 2437850
Did you invoke the api (via gateway) after adding the certificate to the trust store? — menaka_
@Menaka: No not invoking API but I tried to test with the feature we have in Production endpoint in publisher while we edit the API — 2437850
I tried now to invoke the API and it seems to be working. However, the test button option still says that invalid -error connecting to backend. This definitely creates confusion. I will continue checking the use cases with other endpoints and will share the update if any. — 2437850

LW1 LW1 · Accepted Answer · 2019-09-19T06:31:07

Are there any multiple nodes here? When dynamic SSL certificates are uploaded through the publisher console it will be added into the /repository/resources/security/sslprofiles.xml and /repository/resources/security/client-truststore.jks of the current node. But if the setup is clustered these 2 files need to be synced between the nodes to update these dynamically added certificates as mentioned in the doc.

APIM 2.6.0 SSL certificate installation for APIs through Rest APIs of APIM 2.6.0

1 Answers