Are you using an API gateway to ensure solid security for your APIs? Or an microservices API gateway to do the same for all those handy services in your backend? If so, you’ll need to know about securing your API gateway with Transport Layer Security (TLS). Read on for answers to all your burning API gateway TLS questions!
What is API gateway TLS?
Before we look at API gateway TLS, let’s take a step back and look at what TLS is.
TLS is a cryptographic protocol that is the successor to the deprecated Secure Sockets Layer (SSL) protocol. It uses data encryption to provide security for the connections between different elements of computer networks, such as web servers and web applications. A TLS listener handles incoming connections that use TLS. When the different network elements exchange data, the TLS protocol keeps that data safe and secure.
In the context of an API gateway, TLS can secure downstream communications between clients and the gateway. It can also secure upstream communications between the gateway, the APIs, and the backend services behind it. It does so using encryption so that the data is unreadable to anyone who does not have the proper decryption keys. TLS also uses an authentication handshake mechanism so that both clients and servers authenticate each other. In addition, TLS data integrity checks confirm that data has not been modified during transmission.
Benefits of using TLS for API gateway
We’ll dive into the details of API gateway certificate creation in a moment, but first, let’s consider the benefits of using API gateway TLS.
The data encryption that TLS provides is a clear win in terms of confidentiality. Let’s consider the banking sector. According to Akami’s High Stakes of Innovation: Attack Trends in Financial Services report, web application and API attacks against the global financial services industry were 65% higher in Q2 2023 than in Q2 2022. Keeping data safe in transit by ensuring it can’t be read even if it is intercepted, thus protecting against eavesdropping attacks, is clearly a priority in such circumstances.
Data encryption achieved through TLS can also help organisations comply with legal and regulatory compliance requirements – another plus point for securing your API gateway with TLS.
Data integrity is another benefit of TLS API security, as the recipient can be sure that data hasn’t been tampered with while in transit. Mutual TLS authentication adds to the peace of mind, as authenticating both parties helps prevent man-in-the-middle attacks.
There is an element of future-proofing that comes with using API gateway TLS as well. Security threats continue to evolve, but as TLS is updated and improved regularly, you can stay one step ahead as new threats emerge by using the latest TLS version.
Creating certificates for API gateway TLS
Key to the successful working of TLS is the API gateway client certificate. Certificates are a fundamental part of how mutual TLS (mTLS) authentication works, with both parties’ TLS certificates providing information required for successful verification.
With API gateway mutual TLS in place, the handshake element of the process can proceed smoothly. It enables clients to ensure they are connecting to the legitimate gateway, building trust in the process. Indeed, API gateway mTLS is often used in zero-trust environments – something that many organisations embrace when securing their path to revenue growth.
You can create a list of trusted certificates as part of your API gateway mTLS setup. Using the example of Tyk API Gateway, you can set up TLS and mTLS connections, with all TLS connections also supporting HTTP/2. Tyk also supports Let’s Encrypt if you need to use a public certificate authority. You can use certificate pinning to allow only specified public keys to generate certificates. This means you will be protected in case an upstream certificate is compromised. You can define upstream certificates on the API definition level or use the gateway configuration file to do so globally.
With Tyk, you also have a range of options for managing self-signed certificates, with best practice dictating that you store certificates locally in the standard certificate store.
Speaking more generally, if you need to create a certificate for API gateway TLS, decide whether to use a public certificate authority or set up your private certificate authority. The latter gives you greater control (but also requires a greater degree of management). Next, generate a certificate signing request on the server hosting your API gateway. The request includes the public key that the certificate will include.
If you’re using a public certificate authority, you’ll need to submit the certificate signing request to them and follow their instructions at this stage so that they validate your request. If you’re using a private certificate authority, it will sign the certificate using a private key.
You can now install the TLS certificate on your API gateway server.
Configuring API gateway for TLS
Installing an API gateway TLS certificate means you’ll need to add the certificate and private key files to your server’s configuration and then update the gateway’s configuration. This involves specifying the certificate and private key files and configuring the TLS settings. This is where you can specify things like TLS version, protocols and ciphersuites. Note that TLS 1.3 (the latest TLS version at the time of writing) doesn’t support cipher selection.
If you’re using microservices and associated gateway access patterns, you’ll need to manage your Kubernetes TLS certificates. With a TLS Kubernetes setup, you can do this by configuring the kubectl command-line tool to communicate with your cluster and then using the certificates.k8s.io API. This allows you to provision signed TLS certificates to establish trust.
What version of TLS do API gateways use?
As mentioned above, the latest TLS version is 1.3, which the Internet Engineering Taskforce published in August 2018. TLS 1.3 replaced TLS 1.2, bringing new features and improvements, such as speeding up TLS handshakes and dropping support for older cryptographic features no longer considered secure.
How do I enable TLS for API gateway?
It’s not difficult to enable TLS for your API gateway; you just need to be methodical. Our blog post on transport layer security and Tyk walks you through the whole process, from generating a self-signed certificate to launching a Tyk Gateway instance and protecting your data with TLS. If you’re looking for a step-by-step guide to enabling API gateway TLS, that’s where to start.
Of course, the Tyk team is also happy to help with any gateway TLS questions, so feel free to drop us a line any time.