This blog provides steps to configure SSL certificate in Oracle API Gateway node's trust store. It becomes necessary when API gateway in installed in "production" mode. Without SSL certificate you won't able to deploy an API to gateway node, because in production mode gateway must communicate with APIP management tier over SSL. Another use-case is when backend service is SSL enabled.
Scenario#1 : When gateway is installed in Production mode (gatewayExecutionMode="Production"), it communicates with APIP management tier over SSL.
There are certain configurations need to be done in gateway for successful SSL Handshake with management tier. Before we jump into the gateway configuration, let's see types of certificates configured in management tier.
Mostly there are 2 types of Digital certificates configured in management tier.
(i) WebLogic Self-signed certificate (Provided by default as WebLogic "demo" certificate. Not recommended for Production environment)
(ii) Custom CA Signed certificate (It is recommended that you should replace WebLogic demo cert with CA signed cert for production usage) (To learn how to configure CA singed certificate you can refer A-team blog - http://www.ateam-oracle.com/api-platform-custom-host-name-and-certificate/)
Now, Let's see kind of problems you may face in absence of certificate.
[08-08 04:43:25:ERROR oracle.apiplatform.gateway.controller.rest.ManagementRestMethods] Failed to GET from https ://<API mgmt tier hostname>:443/apiplatform/gatewaymanager/v1/gateways/101/newdeployments
javax.ws.rs.ProcessingException: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
What if customer doesn't have CA signed certificate configured in APIP management tier?
<Aug 9, 2018 5:20:40,037 PM GMT> <Warning> <Security> <BEA-090504> <Certificate chain received from oc-<OTD_IP_Address>.compute.oraclecloud.com -<OTD_IP_Address>failed hostname verification check. Certificate contained apics-lb-1 but check expected oc--<OTD_IP_Address>.compute.oraclecloud.com>
Note, this error is different from previous SSL handshake exception. Because as mentioned earlier, There are 2 steps performed by gateway for SSL based communication. Certificate check & Hostname verification.
Scenario#2 : Configure certificate in gateway node when API is consuming SSL enabled back-end service.
Here process is exactly similar as above scenario described in #1. We just need to import certificate used by back-end service to API gateway node. We can use same SSLImportUtility to import certificate, as discussed above.
Appendix - Gateway Lockdown
Since we are discussing security configuration for prod environment of gateway node. it reminds me another recommendation to Lockdown gateway. While it is a different topic from SSL but worth mentioning in context of security.