To connect to endpoints (backends) with TLS, the public certificate of the backend should be added as a trusted certificate to the router.
If the certificate is not provided explicitly, the Choreo Connect router will use the default trusted certificates stored in,
The following are the default configurations for a Gateway instance. Add the following configuration block to
<CHOREO-CONNECT_HOME>/docker-compose/choreo-connect-with-apim/conf/config.toml depending on the execution to change default values.
[router.upstream.tls] minimumProtocolVersion = "TLS1_1" maximumProtocolVersion = "TLS1_2" ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA, ECDHE-RSA-AES128-SHA, AES128-GCM-SHA256, AES128-SHA, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA, ECDHE-RSA-AES256-SHA, AES256-GCM-SHA384, AES256-SHA" # the default endpoint certificates trustedCertPath = "/etc/ssl/certs/ca-certificates.crt" verifyHostName = true disableSslVerification = false
|router.upstream.tls||These are used to configure SSL properties for the upstream clusters (backend endpoints).|
|Sub Heading||Description||Default value|
|minimumProtocolVersion||The supported minimum tls version||
|maximumProtocolVersion||The supported maximum tls version||
|ciphers||List of ciphers to be used||
|trustedCertPath||The path where the trusted certificates are stored||
|verifyHostName||Verify the backend hostname with the certificate SAN (Subject Alternative Name)||
|disableSslVerification||Disable SSL verification with backend clusters||
Add a Certificate to Choreo Connect Router as a Trusted Certificate¶
Choreo Connect supports certificates in
pem format. The trusted certificates are added as a single file that contains all the certificates.
To add a new certificate please follow the steps below.
Mount the default certificate location of the Choreo Connect router in
<CHOREO-CONNECT_HOME>/docker-compose/choreo-connect or choreo-connect-with-apim/docker-compose.yaml file. This will allow modifying the certificates easily without logging in to the container.
router: image: wso2/choreo-connect-router:0.9.1-SNAPSHOT logging: options: max-size: "20m" max-file: "5" environment: ... - ENFORCER_CA_CERT_PATH=/home/wso2/security/truststore/mg.pem volumes: - ../resources/router/security:/home/wso2/security - <PATH>/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt
If you need to change the location of the volume mount, the
trustedCertPath value in config.toml should also be changed.
Convert the certificate into pem format
openssl x509 -in <INPUT CERTIFICATE> -out <OUT_PUT_FILE_NAME>.pem
openssl x509 -in backend.cert -out backend.pem
Open the converted backend.pem file and copy the certificate content. (along with
Open the default certificate (the mounted certificate) and append the new certificate content and save the file.
- Restart the Router container.
docker restart <router_container_name>
Adding Certificates to Specific Clusters¶
The above section explains how a certificate can be added to the Choreo Connect router's global trusted certificates. However, if the certificate should be added only to a specific API backend, it could be done as follows.
via API Manager¶
Please follow Adding a Certificate for an Endpoint
via API CTL¶
- Create a new API Project by following the Importing APIs via Developer First Approach
- Copy the backend certificate to
<API_PROJECT_HOME>/Endpoint-certificatesdirectory in PEM format.
- Generate the Deployment directory for the API project following Generating the Deployment Directory
- Following Defining the parameters file for an API, edit the params.yaml file in the generated deployment directory.
- Bundle the generated Deployment directory with the project, Bundling the generated directory before Import
- Deploy the API project into Choreo Connect Deploy an API