MTLS-AWS API Gateway (Part-II)
This document is the Part — II of implementing the MTLS (Mutual TLS).
For understanding in depth about the MTLS in general, do visit https://medium.com/@skshukla.0336/mtls-everything-you-need-to-know-e03804b30804
1. Introduction
While the previous part explains in depth about Mutual TLS, the focus of this document is on achieving the same via Amazon’s API Gateway.
The concepts being covered here are,
- Acquire the Certs from a valid Certificate Authority.
- Make secure API call to the backend application running on EC2 via API Gateway
2. Setup
2.1 Acquire Certificates
Amazon API Gatway requires the valid certificates from proper Certificate Authorities instead of Self Signed Certificate from the allowed Authorities. For this demo https://letsencrypt.org/ is used to issue the certs
(fullchain.pem is the certificate and privkey.pem is the private key. Domain name used to issue the certificate is: api-gateway-server.skshukla.com, Once Route-53 entry is made for this subdomain the certs can be obtained while running the commands in EC2 from the link above)
2.2 Create Key Store and Trust Store
Use below command to create Key Store and Trust Store.
# Use certificate and private key to create P12 file
openssl pkcs12 -export -out server.p12 -name "api-gateway-server.skshukla.com" \
-inkey privkey.pem -in fullchain.pem -passin pass:12345678 \
-password pass:12345678
# Create keystore from P12 file
keytool -importkeystore -srckeystore server.p12 -srcstoretype PKCS12 \
-destkeystore myserver_keystore.jks -deststoretype JKS
# Single command to create the Trust Store and import Certificate
keytool -import -trustcacerts -noprompt -alias ca \
-ext san=dns:api-gateway-server.skshukla.com,ip:127.0.0.1 -file fullchain.pem \
-keystore myserver_truststore.jks2.3 Import Certificate to Trust Store
As the backend service should allow only the valid Clients (API Gateway in this case), for MTLS, the API Gateway Certificate needs to be imported into the Trust Store.
API Gateway Certificate can be obtained by Client Certificate -> Generate Client Certificate and click copy. This would copy the Certificate content in the Clipboard. Create a file “api_gateway.crt” with the copied content.
Import the API Gateway Certificate to the trust store.
keytool -import -trustcacerts -noprompt -alias ca-api-gateway \
-ext san=dns:api-gateway-server.skshukla.com,ip:127.0.0.1 -file api_gateway.crt \
-keystore myserver_truststore.jks
Finally, ensure that MTLS is enabled with this value in application.yaml file and start the application. (Refer part-I to run the application from github)
client-auth: need
key-alias: api-gateway-server.skshukla.com- client-auth: need ensures that Server would check client (Two way)
- key-alias needs to be correct and should match the domain.
3. Testing
As the only client allowed is API gateway and hence either by passing — cacert option or insecure (-k) option would not work. Server rejects the request until it has come from API Gateway for which certificate is added.
In the API gateway, chose the “Integration Type” as HTTP and check “Use HTTP Proxy Integration” option and give Endpoint url as this.
After creating the API, chose the same certificate and hitting Test button would display the response.
4. Conclusion
We can see by using MTLS the Server can accept the request only from the known clients and rejecting others. This would drastically improve the security of the system overall.
Linkedin:
https://www.linkedin.com/in/sks336/
YouTube: