Cloud Blog

Certificate-Based API Gateway to Backend Authentication

WSO2 API Cloud now officially supports Mutual SSL as one of the options to authenticate API gateway to your backend service.

The way this works is illustrated in the diagram below.

Basically, API Gateway in the cloud is handling user requests, gets users authenticated via OAuth, enforces various policies and so on. However, in its turn, it should get authenticated to the actual backend service. We have long supported various security mechanisms for that including basic authentication, OAuth, IP whitelisting, and digest authentication. We are now adding mutual SSL authentication to the mix:

Mutual SSL authentication between gateway and backend


To set it up:

  1. Use the Support menu in API Cloud to create a request with WSO2 Cloud team,
  2. Let us know your backend hostname,
  3. Once we respond via email, send us backend certificate with which you want to configure mutual SSL (your_backend_cert.crt),
  4. Once we have this, we will add your certificate to our servers and send you our public certificate,
  5. You add WSO2 Cloud’s public certificate to your backend servers.
  6. Now you can use Mutual SSL Certificates as a way to secure your gateway to backend access.

If you have any questions, just contact us via the Support menu and we will be happy to help you out.

2 thoughts on “Certificate-Based API Gateway to Backend Authentication”

  1. How can I add SSL certificate in wso2 api manager?
    I have added in wso2carbon.jks, client-truststore.jks and cacerts.
    But still gettinb below error :
    Invalid. unable to find valid certification path to requested target

    Please reply.

    1. Hi, Komal,

      I am on the Cloud team so not the best person to comment on this one. If you are using WSO2 API Cloud – the cloud team is handling this as described in the blog post above. The cloud support team takes your certificate and information and provides you with ours for the backend configuration on your side.

      For your own deployments, you can use API Manager documentation, buy a support subscription, or ask questions on StackOverflow. I’ve also found this blog post, see if it helps:

Leave a Reply

Your email address will not be published. Required fields are marked *


Recent Posts

Most Popular Posts

Twitter Facebook LinkedIn