search

Axway-API-Management-Plus / apim-cli

Axway API-Management CLI - Manage your platform from the command line or with your CI/CD pipeline
Apache License 2.0
44 stars 17 forks source link

Need to Provide a Certificate to Import a SOAP API #249

Closed avoketaitis closed 2 years ago

avoketaitis commented 2 years ago

API-Manager CLI Version 1.6.1

API-Manager and Service-Pack Version 7.7.20200730

Question I am attempting to import a SOAP API. The site that is serving the WSDL requires a certificate. I do not see a way to specify a certificate in the configuration settings file or any other means of specifying a certificate. Just to clarify, if I were to 'curl' the WSDL, I would need to provide my cacert, key, and cert using the --cacert, --key, and --cert options. I need to be able to provide these when running apim-cli so that it doesn't get a 403 access denied when importing the WSDL.

What I've tried so far

Additional information

cwiechmann commented 2 years ago

Is my understanding correct, that the site requires a Client-Certificate just to access the WSDL?

avoketaitis commented 2 years ago

Yes. That is correct!

From: Chris Wiechmann @.> Sent: Thursday, December 23, 2021 2:04 AM To: Axway-API-Management-Plus/apim-cli @.> Cc: Arnie Voketaitis @.>; Author @.> Subject: Re: [Axway-API-Management-Plus/apim-cli] Need to Provide a Certificate to Import a SOAP API (Issue #249)

This email was sent from an external server

Is my understanding correct, that the site requires a Client-Certificate just to access the WSDL?

— Reply to this email directly, view it on GitHubhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_Axway-2DAPI-2DManagement-2DPlus_apim-2Dcli_issues_249-23issuecomment-2D1000089865&d=DwMCaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=p0_hj1z412k-GXFNEIvm3egfp4DqOm1yoGfjX-UnM3E&m=MUbYKE-DePta5cGhdLWW8lbjuMawPIR2SiTy9gBnpJY&s=GibTfzufYe8gU3gEA_MVKz8EkN2RJjj7aeBPoU7zVmk&e=, or unsubscribehttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AXATMOSOR53UDIB6Y64ZTLTUSLCXBANCNFSM5KTJY2CA&d=DwMCaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=p0_hj1z412k-GXFNEIvm3egfp4DqOm1yoGfjX-UnM3E&m=MUbYKE-DePta5cGhdLWW8lbjuMawPIR2SiTy9gBnpJY&s=5lAS8l4EsDgRv6f9vgppIVE--QZgRtxrZyrv7mN7szo&e=. Triage notifications on the go with GitHub Mobile for iOShttps://urldefense.proofpoint.com/v2/url?u=https-3A__apps.apple.com_app_apple-2Dstore_id1477376905-3Fct-3Dnotification-2Demail-26mt-3D8-26pt-3D524675&d=DwMCaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=p0_hj1z412k-GXFNEIvm3egfp4DqOm1yoGfjX-UnM3E&m=MUbYKE-DePta5cGhdLWW8lbjuMawPIR2SiTy9gBnpJY&s=mf7ZHlFyZQXasSe0KlMpJUUvqeLw0sa7r2FSTK_a2no&e= or Androidhttps://urldefense.proofpoint.com/v2/url?u=https-3A__play.google.com_store_apps_details-3Fid-3Dcom.github.android-26referrer-3Dutm-5Fcampaign-253Dnotification-2Demail-2526utm-5Fmedium-253Demail-2526utm-5Fsource-253Dgithub&d=DwMCaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=p0_hj1z412k-GXFNEIvm3egfp4DqOm1yoGfjX-UnM3E&m=MUbYKE-DePta5cGhdLWW8lbjuMawPIR2SiTy9gBnpJY&s=_6DRBhMHFTml4OIQEWa_Xag2_znkF_DbsElVovCPIto&e=. You are receiving this because you authored the thread.Message ID: @.***>

This email has been scanned for spam and viruses by Proofpoint Essentials. Click herehttps://us3.proofpointessentials.com/index01.php?mod_id=11&mod_option=logitem&mail_id=1640243057-FybFDf72aOJg&r_address=avoketaitis%40bainova.com&report=1 to report this email as spam.

cwiechmann commented 2 years ago

I'm afraid, but this is unfortunately not possible as the CLI is not downloading the WSDL itself.

As you know, the API-Manager only supports the import of the WSDL from a URL. Therefore, when importing a SOAP-Service, the CLI tells the API-Manager to import it from the configured location. This is btw different to the OpenAPI/Swagger import where the CLI imports it from the local file system.

Hence, for the WSDL-Import, the CLI has no control about the connection established by the API-Manager to the WSDL-Server and cannot configure any client certificates.

I'm really sorry, but I don't see any way to solve this.

avoketaitis commented 2 years ago

I would like to suggest an alternative. I am able to manually import the WSDL into my Policy Studio API Repository and then create a backend API in API Manager using 'Import from Topology'. Could you enhance apim-cli to support this feature as a means of importing APIs?

From: Chris Wiechmann @.> Sent: Thursday, December 23, 2021 8:42 AM To: Axway-API-Management-Plus/apim-cli @.> Cc: Arnie Voketaitis @.>; Author @.> Subject: Re: [Axway-API-Management-Plus/apim-cli] Need to Provide a Certificate to Import a SOAP API (Issue #249)

This email was sent from an external server

I'm afraid, but this is unfortunately not possible as the CLI is not downloading the WSDL itself.

As you know, the API-Manager only supports the import of the WSDL from a URL. Therefore, when importing a SOAP-Service, the CLI tells the API-Manager to import it from the configured location. This is btw different to the OpenAPI/Swagger import where the CLI imports it from the local file system.

Hence, for the WSDL-Import the CLI has no control about the connection established by the API-Manager to the WSDL-Server.

I'm really sorry, but I don't see any way to solve this.

— Reply to this email directly, view it on GitHubhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_Axway-2DAPI-2DManagement-2DPlus_apim-2Dcli_issues_249-23issuecomment-2D1000313544&d=DwMCaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=p0_hj1z412k-GXFNEIvm3egfp4DqOm1yoGfjX-UnM3E&m=TI_LDAoVBIW6ixMT-jCvpeuOa5nQc6Skh8XwRcL4vTo&s=Ub3E_09ifnmUThLI782c9mmcSwppJvTNIR_nPXsgw8k&e=, or unsubscribehttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AXATMORHIJZE6HRXSPQS2LLUSMRKXANCNFSM5KTJY2CA&d=DwMCaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=p0_hj1z412k-GXFNEIvm3egfp4DqOm1yoGfjX-UnM3E&m=TI_LDAoVBIW6ixMT-jCvpeuOa5nQc6Skh8XwRcL4vTo&s=peOXL_Jbak28LXhCojrgCuJLwLTfe1efVxWEbPLe1jM&e=. Triage notifications on the go with GitHub Mobile for iOShttps://urldefense.proofpoint.com/v2/url?u=https-3A__apps.apple.com_app_apple-2Dstore_id1477376905-3Fct-3Dnotification-2Demail-26mt-3D8-26pt-3D524675&d=DwMCaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=p0_hj1z412k-GXFNEIvm3egfp4DqOm1yoGfjX-UnM3E&m=TI_LDAoVBIW6ixMT-jCvpeuOa5nQc6Skh8XwRcL4vTo&s=U6ERzIzLTe-FCvJkdt4h37yAKhVIzxgXMR3xKYCartg&e= or Androidhttps://urldefense.proofpoint.com/v2/url?u=https-3A__play.google.com_store_apps_details-3Fid-3Dcom.github.android-26referrer-3Dutm-5Fcampaign-253Dnotification-2Demail-2526utm-5Fmedium-253Demail-2526utm-5Fsource-253Dgithub&d=DwMCaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=p0_hj1z412k-GXFNEIvm3egfp4DqOm1yoGfjX-UnM3E&m=TI_LDAoVBIW6ixMT-jCvpeuOa5nQc6Skh8XwRcL4vTo&s=iYeklSxc_jm0engE8_v7clt7oXWOSa92ImE76jTMF8Y&e=. You are receiving this because you authored the thread.Message ID: @.***>

This email has been scanned for spam and viruses by Proofpoint Essentials. Click herehttps://us3.proofpointessentials.com/index01.php?mod_id=11&mod_option=logitem&mail_id=1640266924-IA-H4YBrsphI&r_address=avoketaitis%40bainova.com&report=1 to report this email as spam.

cwiechmann commented 2 years ago

Hi @avoketaitis, Yes, that might work. I checked the response from the ANM for the WSDL-Discovery and got the following example:

[
    {
        "id": "<key type='WebServiceRepository'><id field='name' value='Web Service Repository'/><key type='WebServiceGroup'><id field='name' value='Web Services'/><key type='WebService'><id field='name' value='BankingServices'/></key></key></key>",
        "deprecated": false,
        "apiVersion": "1.0",
        "swaggerVersion": "1.1",
        "basePath": "http://172.20.0.1:8080/BankingDemo.asmx?WSDL",
        "resourcePath": "",
        "models": {},
        "consumes": [],
        "produces": [],
        "name": "BankingServices",
        "basePaths": [
            "http://172.20.0.1:8080/BankingDemo.asmx?WSDL"
        ],
        "image": "",
        "state": "published",
        "cors": false,
        "expired": false,
        "retirementDate": 0,
        "retired": false,
        "tags": {},
        "availableApiDefinitions": {
            "Swagger 1.1": "/discovery/swagger/api/id/%3Ckey%20type='WebServiceRepository'%3E%3Cid%20field='name'%20value='Web%20Service%20Repository'/%3E%3Ckey%20type='WebServiceGroup'%3E%3Cid%20field='name'%20value='Web%20Services'/%3E%3Ckey%20type='WebService'%3E%3Cid%20field='name'%20value='BankingServices'/%3E%3C/key%3E%3C/key%3E%3C/key%3E?swaggerVersion=1.1&filename=BankingServices.json"
        },
        "availableSDK": {},
        "apis": [],
        "accessGrantedDate": 0,
        "type": "wsdl"
    }
]

In order to tell the APIM-CLI to load the API from the ANM the API-Definition/API-Specification must be configured differently. As a refactoring for the apiDefinition is planned anyway to support filters (#223), it might look like this:

{
  "name" : "My Banking Services",
  "path" : "/banking/demo",
  "state" : "published",
  "version" : "2.0",
  "organization" : "API Development",
  "apiSpecification" : { 
    "type": "topologyWSDL",
    "name": "BankingServices"  <<< Must be the name as returned by the discovery response
   },
  ....
  ..

Additionally, it would be required to authenticate with the ANM, which is not yet the case.

This is a considerable amount of work and it is not guaranteed, this gets finally implemented as the use-case pops up very rarely.

cwiechmann commented 2 years ago

I'm afraid I see no bandwidth to implement this requirement and I don't want give wrong expectations here, therefore I'm closing this issue now.