Hello everybody,
We are in process of implementing mTLS for one of our new API in APIGEE (northbound).
Currently our existing API ( without mTLS) set up in APIGEE as below :
https://api.sampleschool.com/demo/v1/student
https://api.sampleschool.com/demo/v1/alumni
Virtual host is set up as
Name - sampleschool
Port - 443
Alias - api.sampleschool.com
Now we want to deploy a new API (teacher) with mTLS support in APIGEE as https://api.sampleschool.com/demo/v1/teacher .
My confusion is
Solved! Go to Solution.
can we implement mTLS for the same Virtual Host ( Name - sampleschool) ?
No you cannot.
Isn't mTLS implementation for "teacher" going to impact the existing "student" and "alumni" APIs as well?
Yes, that's how the VirtualHost works in Apigee Edge.
My understanding is mTLS implementation through Trust Store in Virtual Host will make APIGEE to expect client certificates for existing APIs as well.
Correct. Each virtualhost is either 1-way or 2-way (mutual) TLS. And any API proxy "listening" on the virtualhost will use that TLS configuration - either 1-way or 2-way. There is no way to make client authentication "optional" in an Apigee vhost.
If we want to use the same uri (host) api.sampleschool.com with mTLS support (teacher) as well as for existing non mTLS APIs (student, alumni) , is there any option available in APIGEE?
No, not if you use only Apigee. You would need to insert something between your clients and Apigee, in order to get that behavior. Some other TLS-termination point that you can control and in doing so, provide a "client auth optional" capability.
If you are ok with not using the same hostname.... then of course you can have 1-way and 2-way TLS configurations, for different hosts.
can we implement mTLS for the same Virtual Host ( Name - sampleschool) ?
No you cannot.
Isn't mTLS implementation for "teacher" going to impact the existing "student" and "alumni" APIs as well?
Yes, that's how the VirtualHost works in Apigee Edge.
My understanding is mTLS implementation through Trust Store in Virtual Host will make APIGEE to expect client certificates for existing APIs as well.
Correct. Each virtualhost is either 1-way or 2-way (mutual) TLS. And any API proxy "listening" on the virtualhost will use that TLS configuration - either 1-way or 2-way. There is no way to make client authentication "optional" in an Apigee vhost.
If we want to use the same uri (host) api.sampleschool.com with mTLS support (teacher) as well as for existing non mTLS APIs (student, alumni) , is there any option available in APIGEE?
No, not if you use only Apigee. You would need to insert something between your clients and Apigee, in order to get that behavior. Some other TLS-termination point that you can control and in doing so, provide a "client auth optional" capability.
If you are ok with not using the same hostname.... then of course you can have 1-way and 2-way TLS configurations, for different hosts.