3

I would like to make my Bluemix application(Liberty) to access remote REST API which is provided in SSL. I need to use the gateway's "TLS Mutual Auth option". But now for a purpose to figure out whether I must use "HTTPS option" or not when a remote REST API is provided in SSL, I tested two case, HTTPS and TLS Server Auth. HTTPS case resulted in success and TLS Server Auth resulted in failure.

Is HTTPS option required when a remote REST API is HTTPS in order to rewrite the HTTP header at SecureGatewayClient ? Can't we protect the gateway with TLS Mutual Auth if this is collect ?

1. HTTPS option: success
This case resulted in success.

2. TLS Server Auth option: failure
This case resulted in failure. I just chaged the gateway's option from "HTTPS" to "TLS Server Auth", so the cause is not a mis-configuration.

[Bluemix Liberty application's log]
2015-07-01T04:17:58.64+0900 [RTR] OUT sampleapp.mybluemix.net
[30/06/2015:19:17:49 +0000] "GET /XXX HTTP/1.1" 200
2015-07-01T04:17:58.66+0900 [App/0] OUT res:404 Not Found: Requested route ('cloudhost:cloudport') does not exist.

[SG Client's log]
[2015-06-30 02:37:38.144] [INFO] Connection #32 is being established to remote REST API's host:443 [2015-06-30 02:37:38.227] [INFO] Connection #32 established to remote REST API's host:443 [2015-06-30 02:37:52.535] [INFO] Connection #32 to remote REST API's host:443 was closed

enter image description here

RandalAnders
  • 1,431
  • 9
  • 16
shimac-jp
  • 233
  • 3
  • 11

1 Answers1

1

In response to this part of your post:

Is the HTTPS option required when a remote REST API is HTTPS in order to rewrite the HTTP header at SecureGatewayClient ?

Yes, HTTPS is required if connecting to a https remote rest api. Additionally, if you're connecting to a backend HTTPS server, you will need to enable client-side TLS.

The link below provides more info regarding securing a gateway in the Bluemix UI:

https://www.ng.bluemix.net/docs/services/SecureGateway/sg_022.html#sg_009

In response to this part of your post:

Can't we protect the gateway with TLS Mutual Auth?

Yes, you can use TLS:Mutual Auth, but you would also need to upload your own certificate or select auto-generate to automatically create a self-signed certificate/key pair that you can download along with the server certificate.

To use the certificates generated by selecting TLS:Mutual Auth, you will also need to configure your application-side TLS connection, and potentially your client-side TLS connection. Enabling TLS security between the client and your REST API is separate to application-side TLS. Application-side TLS secures access between your sample app and the secure gateway client defined. You can use client-side TLS connectivity independent of application-side TLS, vice versa, or together to provide complete security from your sample app to your REST API.

For more information regarding accessing the secure gateway, please see the link below:

https://www.ng.bluemix.net/docs/services/SecureGateway/sg_023.html

RandalAnders
  • 1,431
  • 9
  • 16
  • Thank you for your reply. Your answer seems to differ from Alex's answer below. http://stackoverflow.com/questions/31150293/how-to-upload-the-certificate-for-client-tls-options-after-the-destination-was/31150689#31150689 – shimac-jp Jul 02 '15 at 02:03
  • If your on-prem application you are trying to connect to is an HTTPS REST API, you will need to enable Client TLS as well as either pick HTTP/HTTPS as the protocol. Picking HTTP/HTTPS as the protocol will rewrite the host header for you, and then client TLS will make sure the connection between the client and your on-prem REST API is TLS, not TCP. – Alex Yurkowski Jul 02 '15 at 14:11
  • Please see my revised post above. Thanks Alex for pointing out "enabling client TLS", I forgot about that. – RandalAnders Jul 02 '15 at 15:03
  • HTTPS + "enabling client TLS" worked well. But, TLS: Server Side + "enabling client TLS" got error. Must the protocol be HTTPS , not TLS: Server Side nor TLS: Mutual Auth when the remote resource is HTTPS REST API ? – shimac-jp Jul 09 '15 at 07:02
  • If the remote resource is an HTTPS REST API, you will need to set the protocol to HTTP or HTTPS on the destination. This is because the TLS protocols do not attempt to rewrite the host header. – Alex Yurkowski Jul 09 '15 at 15:28