KB Article #187940

Forcing APIM Dynamic WSDL generation to use HTTPs in address location

Problem

When there is a load balancer or reverse proxy in place in front of API Manager that terminates SSL/TLS connections and forwards client requests to APIM using HTTP, the WSDL exposed by API Manager always displays the wsdl:soap:address location with an HTTP URL instead of HTTPS.

Resolution

To resolve this issue, the best and most straightforward solution is to configure the load balancer or reverse proxy to forward requests over both HTTP and HTTPS to API Manager, with the latter having two listeners to support both protocols.

However, if adjusting the load balancer is not feasible, you can enforce HTTPS at the API Manager level using the following steps:


Create a Policy in Policy Studio:

  • Open Policy Studio and create a new policy with a single "Set Attribute" filter.
  • Set the Attribute Name to http.request.cipher.
  • Set the Attribute Value to a random, non-null value (e.g., anyNonNullValue).

This works because the HTTPPlugin in API Gateway is configured to enforce HTTPS if the http.request.cipher attribute is non-null:

gwplatform/vordel-core-http/src/main/java/com/vordel/dwe/http/HTTPPlugin.java
                try {
                    String scheme = "http";
                    if (m.get("http.request.cipher") != null)
                        scheme = "https";
                    HeaderSet httpHeaders = (HeaderSet) m.get(MessageProperties.HTTP_HEADERS);

Add the Policy to API Manager's Inbound Security Policies:

  • Go to Server Settings -> API Manager -> Inbound Security Policies -> Add and select the policy you created.
  • Deploy the Configuration:

Configure the API in API Manager:

  • Navigate to the Frontend section in API Manager, open your API, and switch to the Inbound tab.
  • For Inbound Security, choose "Invoke Policy," select the policy you added earlier, and disable the toggle for Client Registry.

Note: Using this policy as a Global Request Policy will not work, as the ?WSDL call is not part of the API Methods calls. Global Request policies are triggered only for front-end APIs during API method calls, which does not include ?WSDL.


By implementing this workaround, the ?WSDL call will always return an HTTPS URL, even if a plain HTTP listener is in place.

Still need help?

If this information wasn't helpful to you, just drop us a line. We'll get back to you as soon as possible.