I am trying to establish mutual X.509 certificate authentication between the MQTT client and AWS IoT.
On the X.509 Certificates and AWS IoT page, it is mentioned that one can
reference the CA root certificate in your device code when you connect to AWS IoT. For more information, see the AWS IoT Device SDKs.
However, when I look through the documentation for the Java SDK as well as the API documentation, I see no mention of how to do this. I have downloaded the CA Certificate, but I do not see where I can pass this in when setting up the AWSIoTMqttClient():
this.client = new AWSIotMqttClient(clientEndpoint, clientId, pair.keyStore, pair.keyPassword);
Could someone please point me in the right direction?
Related
We have multiple device which access microservice via Azure APIM. Each device has wrapper, for example Mobile wrapper which access microservice. Now i want to do mutual certificate authentication in order to restrict mobile wrapper accessing microservice directly via APIM. Hence we decided to install client certificate at mobile wrapper which is hosted on Azure Appservice and server certificate at Azure APIM to do authentication before connecting to microservices. Similarly we have multiple client certificate for individual device wrapper like whatsapp bot, FB etc which will be interacting with APIM. My question is if this approach is feasible from architecture perspective.
Sure that would work, just make sure that you actually test for a client certificate in APIM policy (context.Request.ClientCertificates) and validate them somehow. You could compare thumbprint to a predefined hardcoded value, or call .Validate on a certificate if all of them are issued by limited number of CA, and CA cert is uploaded into APIM.
Can we authenticate against OpenShift enterprise 3.2 or 3.3 REST API's using username and password instead of tokens?
Thanks much in advance!
As stated in openshift documentation:
Requests to the OpenShift Container Platform API are authenticated using the following methods:
OAuth Access Tokens
Obtained from the OpenShift Container Platform OAuth server using the /oauth/authorize and /oauth/token endpoints.
Sent as an Authorization: Bearer… header or an access_token=… query parameter
X.509 Client Certificates
Requires a HTTPS connection to the API server.
Verified by the API server against a trusted certificate authority bundle.
So you need to authenticate using either of these ways
I have a scalable application on elastic beanstalk running on Tomcat. I read that in front of Tomcat there is an Apache server for reverse proxy. I guess I have to install on apache the client certificate and configure it to accept only request encrypted by this certificate, but I have no idea how to do that.
Can you help me?
After many researches I found a solution. According to the difficult to discover it I want share with you my experience.
My platform on elastic beanstalk is Tomcat 8 with load balancer.
To use the client certificate (at the moment I was writing) you have to terminate the https on instance
http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/https-singleinstance.html
then
http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/https-singleinstance-tomcat.html
I used this configuration to use both client and server certificates (seems that it doesn't work only with client certificate)
SSLEngine on
SSLCertificateFile "/etc/pki/tls/certs/server.crt"
SSLCertificateKeyFile "/etc/pki/tls/certs/server.key"
SSLCertificateChainFile "/etc/pki/tls/certs/GandiStandardSSLCA2.pem"
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificateFile "/etc/pki/tls/certs/client.crt"
And last thing: api gateway doesn't work with self signed cerificate (thanks to Client certificates with AWS API Gateway), so you have to buy one from a CA.
SSLCACertificateFile "/etc/pki/tls/certs/client.crt"
This is where you should point the API Gateway provided client side certificate.
You might have to configure the ELB's listener for vanilla TCP on the same port instead of HTTPS. Basically TCP pass through at your ELB, your instance needs to handle on the SSL in order to authorize the requests which provided a valid client certificate.
I have Google Cloud project consisting of a compute engine instance which I want to configure as a push subscriber of Cloud Pub/Sub service. I have setup an apache webserver with a self-signed certificate on the instance and have also made a DNS entry (abc.mydomain.com) which points to the instance which has a static IP address. I am already a verified owner of the domain (mydomain.com) on webmasters.
Whenever I add the subscription from the Cloud console, it fails with the error: "The subscription could not be added" and does not show any other useful information.
Please help.
Self-signed certificates are not supported.
There are few options for you:
Pay for the certificate
Use App Engine as a proxy
Use pull subscriptions
Use App Engine Managed VM
The last one is basically a Compute Engine instance, but you will get free https connection via a subdomain of appspot.com.
I'm using the API Gateway service to manage my spring boot resources. I want to point the gateway to my sub-domain. I tried adding it to alias in Route 53 but it does not work. There's an option in the API Gateway console which asks for my domain and some credentials. I don't know if a sub-domain can work and what should i add to certificate input. Probably it is asking for an SSL certificate and I am ready to purchase one, but before i do that, i want to be sure that it accepts sub-domains.
Yes, API Gateway supports subdomains. You can try with self-signed certificate and see the options.
See the official documentation on using Custom Domain Names in API Gateway.