How Do I Secure Microgateway Communication with Clients?

Microgateway 10.7 | webMethods Microgateway Help | SSL Configuration in Microgateway | How Do I Secure Microgateway Communication with Clients?

Secure Microgateway to enable various clients to communicate with the Microgateway instance over HTTPS. This use case explains how to secure Microgateway communication using HTTPS protocol with the existing server and client certificates.

The use case starts when you have a Microgateway instance to be secured using HTTPS and you have the required server and client certificates to secure the communication channel between Microgateway and the client. It ends when the secure channel is configured for communication between Microgateway and the client.

To secure Microgateway communication with clients

1. Configure keystore.

Ensure that the keystore with the required certificates is located at Install_dir/Microgateway/config/microgateway_keystore.jks. Open the system-settings.yml file and update the following information.

key_store:
type: JKS
provider: SUN
location: config/microgateway_keystore.jks
password: yourpwd

You can use the default keystore or use any other custom key.

2. Configure HTTPS port in Microgateway using the following parameters:

Use the parameter key_alias in the config.yml file to force using a dedicated certificate, if the keystore contains multiple certificates. For example, to configure the HTTPS port as 9093 and use the certificate microgateway_cert, the entry in the config.yml file should be as follows:

ports:
https: 9093
key_alias: microgateway_cert

Use the advanced parameters to set Jetty SSLContext parameters for the exposed HTTPS port. For details, see https://wiki.eclipse.org/Jetty/Howto/Configure_SSL. Microgateway supports the following parameters:

include_cipher_suites. For details, see https://wiki.eclipse.org/Jetty/Howto/CipherSuites.

exclude_cipher_suites. For details, see https://wiki.eclipse.org/Jetty/Howto/CipherSuites .

need_client_auth. The default value is false.

want_client_auth. The default value is false.

crl_path. Specifies the path to certificate revocation list file, which is located at Install_dir/config/, for SSL certificate validation.

max_cert_path_length. Specifies the maximum number of intermediate certificates allowed. The default value is -1, which denotes that it is unlimited.

3. Configure truststore.

Microgateway works with one single truststore for all purposes. Manage this truststore with an entry in config/system-settings.yml, similar to the keystore definition, as follows:

trust_store:
type: JKS
provider: SUN
location: config/truststore.jks
password: <pwd>

4. Enable host name verification.

Set the Global SSL setting as default.

ssl_options:
host_name_verifier: default #none can be specified to deactivate hostname verification

The available values are:

default: Provide this value to enable host name verification.

none: Provide this value to disable host name verification.

The default value is none.