Help Center/ API Gateway/ Best Practices/ API Authentication/ Configuring One-Way or Two-Way Authentication Between the Dedicated Gateway and Client
Updated on 2025-01-24 GMT+08:00

Configuring One-Way or Two-Way Authentication Between the Dedicated Gateway and Client

Scenario

If the API frontend supports HTTPS, you need to add an SSL certificate for the independent domain name bound to the API group. An SSL certificate is used for data encryption and identity authentication. If an SSL certificate contains a CA certificate, client authentication (two-way authentication) is enabled by default. Or one-way authentication will be used.

  • One-way authentication: When a client connects to a server, the client verifies the validity of the SSl certificate of the server.
  • Two-way authentication: When a client connects to a server, both the client and server verify the validity of the SSl certificate.

General Procedure

Dedicated gateways support both one-way and two-way authentication. These two modes have the same procedure. The following will take one-way authentication as an example. For details about two-way authentication, see Two-Way Authentication.

  1. Create an SSL certificate.

    An SSL certificate is used for data encryption and identity authentication.

  2. Bind a domain name.

    Bind the group to which the API belongs with a licensed and resolved independent domain name.

  3. Bind a certificate.

    Bind the independent domain name to the created SSL certificate.

  4. Call the API.

    Check whether the API call is successful.

One-Way Authentication

  1. Log in to the APIG console.
  2. Select a gateway at the top of the navigation pane.
  3. Create an SSL certificate.

    1. In the navigation pane, choose API Management > API Policies.
    2. On the SSL Certificates tab, click Create SSL Certificate.
      Table 1 Certificate configuration for one-way authentication

      Parameter

      Description

      Name

      Enter a certificate name.

      Instances Covered

      Select Current.

      Content

      -----Start certificate----- MIICXgIBAAKBgQC6ndRHy5Dv5TcZiVzT6qF iaMGy61ZIbUrmBhUn61vMdvOHmtblST+fSl ZheNAcv2hQR4aqJLi4wrcerTaRyG9op3OSh...

      -----End certificate-----

      Key

      -----Start RSA private key----- MIICXgIBAAKBgQC6ndRHy5Dv5TcZiVzT6qF iaMGy61ZIbUrmBhUn61vMdvOHmtblST+fSl ZheNAcv2hQR4aqJLi4wrcerTaRyG9op3OSh...

      -----End RSA private key-----

      CA

      No CA certificate is required for one-way authentication.

    3. Click OK.

  4. Bind a domain name.

    1. In the navigation pane, choose API Management > API Groups.
    2. Click the name of the group to which the API belongs. The group details page is displayed.
    3. On the Group Information tab page, click Bind Independent Domain Name.
      Table 2 Independent domain name configuration

      Parameter

      Description

      Domain Name

      Enter a licensed domain name.

      Minimum TLS Version

      Select TLS1.2.

      HTTP-to-HTTPS Auto Redirection

      Disabled by default.

    4. Click OK.

  5. Bind a certificate.

    1. In the row that contains the domain name, click Select SSL Certificate.
    2. Select the created certificate and click OK. Client authentication should be disabled for one-way authentication.

  6. Call the API.

    Use the API test tool to call the API. If the status code is 200, the API is successfully called. Otherwise, rectify the fault by following the instructions provided in Error Codes.

Two-Way Authentication

  1. On the SSL Certificates tab, click Create SSL Certificate.

    Table 3 Certificate configuration for two-way authentication

    Parameter

    Description

    Name

    Enter a certificate name.

    Instances Covered

    Select Current.

    Content

    Enter the certificate content.

    -----Start certificate----- MIICXgIBAAKBgQC6ndRHy5Dv5TcZiVzT6qF iaMGy61ZIbUrmBhUn61vMdvOHmtblST+fSl ZheNAcv2hQR4aqJLi4wrcerTaRyG9op3OSh...

    -----End certificate-----

    Key

    Enter the key.

    -----Start RSA private key----- MIICXgIBAAKBgQC6ndRHy5Dv5TcZiVzT6qF iaMGy61ZIbUrmBhUn61vMdvOHmtblST+fSl ZheNAcv2hQR4aqJLi4wrcerTaRyG9op3OSh...

    -----End RSA private key-----

    CA

    Enter the CA certificate content. After the CA certificate is configured, bind the SSL certificate to the independent domain name and enable Client Authentication.

    -----Start certificate----- MIICXgIBAAKBgQC6ndRHy5Dv5TcZiVzT6qF iaMGy61ZIbUrmBhUn61vMdvOHmtblST+fSl ZheNAcv2hQR4aqJLi4wrcerTaRyG9op3OSh...

    -----End certificate-----

  2. Click OK.
  3. Bind a domain name.

    1. In the navigation pane, choose API Management > API Groups.
    2. Click the name of the group to which the API belongs. The group details page is displayed.
    3. On the Group Information tab page, click Bind Independent Domain Name.
      Table 4 Independent domain name configuration

      Parameter

      Description

      Domain Name

      Enter a licensed domain name.

      Minimum TLS Version

      Select TLS1.2.

      HTTP-to-HTTPS Auto Redirection

      Disabled by default.

    4. Click OK.

  4. Bind a certificate.

    1. In the row that contains the domain name, click Select SSL Certificate.
    2. Select the created certificate, select Enable Client Authentication, and click OK.

  5. Call the API.

    Use the API test tool to call the API. If the status code is 200, the API is successfully called. Otherwise, rectify the fault by following the instructions provided in Error Codes.

    You need to configure the client certificate when accessing APIs.

    If Postman is used to call APIs, you need to add client certificates to Certificates in Setting and upload the client certificates and key.