Skip to content

Choreo Based Analytics via Proxy

This documentation outlines the steps to configure APIM Analytics with Choreo through a proxy, utilizing a self-signed certificate for secure communication.


  • Install OpenSSL.

Installation and Configuration Steps

Step 1: Install mitmproxy

First, install mitmproxy by following the instructions on the official mitmproxy documentation. This tool will act as the intercepting proxy between your API Manager and the internet.

Step 2: Generate a Self-Signed Certificate

To create a secure channel, generate a self-signed certificate using the following steps:

  1. Create a configuration file named req.conf with the following content:
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no

C = US
L = SomeCity
O = MyCompany
OU = MyDivision
CN =

keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

IP.1 =
DNS.1 = localhost
DNS.2 =
DNS.3 =
  1. Generate the certificate and key by executing the following command:
openssl genrsa -out cert.key 2048

openssl req -new -x509 -key cert.key -out cert.crt -config req.conf -extensions 'v3_req'

cat cert.key cert.crt > cert.pem

More details on configuring certificates in mitmproxy can be found here.


In a production environment, it is crucial to use a certificate issued by a trusted Certificate Authority (CA) instead of a self-signed certificate. This ensures the integrity and trustworthiness of the secure connections established by your infrastructure.

Step 3: API Manager Configuration

Import the generated cert.crt and cert.key into the API Manager's client-truststore and keystore. Then, apply the following configurations to your deployment.toml file:

enable = true
config_endpoint = ''
auth_token = 'YOUR_AUTH_TOKEN'

proxy_config_enable = true
proxy_config_host =''
proxy_config_port = '3128'
proxy_config_protocol = 'https'

Replace YOUR_AUTH_TOKEN with the On-premise key. For guidance on obtaining this key, please refer to the instructions provided in the WSO2 documentation.

Step 3: API Manager Configuration

Launch mitmproxy with the following command to start intercepting traffic:

mitmweb --web-port 8086 --listen-port 3128 -m regular --no-http2 --certs cert.pem

For further details on mitmproxy and its configurations, consult the mitmproxy documentation.