This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Automating 1 and 2 way SSL certificate validation at both south and northbound

on ‎01-25-2017 09:13 AM

karthikprabhu77
New Member
0 0 2,250


Summery:

Apigee works on https, receives several http requests from multiple source across the globe. To ensure secure transaction with different source, Apigee is implemented with SSL certificates at gateway. Any API request received at Apigee will be validated to ensure Authentication, Integrity and Confidentiality. Once done SSL validation API request is good enough to process it further. As we all know Apigee has Proxy end and Target end point, Proxy end point faces at client side(consumer) and Target end point faces at backend service provider. In essence the request first pass through nearby cloud routers, then to MP (Message Processors). The MP’s does process each request and send backs the response to the backend.

Apigee accept both 1 way and 2 way SSL handshaking between clients. Here Apigee has two medium where SSL handshake take places, one at the ELB (elastic load balancer) and another at Apigee target end point. The client/consumer request does SSL handshaking at ELB for 1 way SSL; if its 2 way both client and Apigee does mutual handshaking. The same process will be followed at target end point as well, 1-way / 2-way handshaking between Apigee and backend service provider.

So, secure data transfer is implemented at both client(consumer) and backend (service provider).

As per the standard, life span of any certificate will be 2 years. Platform doesn’t allow any call in case if certificate is expired. Apigee support team does the renew or remediation of certs activity and uploads the same in respective keystore/trustore. Support team needs to monitor/validate each certificate at both the end for expiration. There are several tools available to do validation like Openssl for public domain and calling Apigee management Api to validate internal certificates (at southbound and northbound).

Tracing /validating several certificates of different organization/environment is tedious and time consuming which reduces productivity of the overall process. Not renewing certs will impact the business as huge calls will get failed due to SSL handshake failure. To avoid such circumstance , i come up with a Java code which takes care of monitoring and validating all the domain certificates, if any of the cert found to be expired,script triggers a notification mail to concerned team.

The notification alert mail will be sent to stakeholder/support team with the complete status of expired certificate. Further, concerned team can initiate the remediation expired certs.

Certificate Automation Overview:

Here, two approaches are used to validate certs based on SSL termination place.Code located at https://github.com/karthikprabhun/ApigeeCertValidationCheck.git


Approach 1: By using OpenSSL(for domains at ELB)

As we all know any public domain certs could be validated using OpenSSL library.The same process followed here .CertCheck.class refers CertFile.XML for domain list), does validation of all the defined certs sequentially by executing OpenSSL command.

Approach 2: By calling Apigee management API(for Internal carts in keystores/trustore)

Internal certs at Apigee Nortbound and southbound are validated here. CallManagment.class refers InternelCertDetails.XML for domain list,does validation of the all defined keystore/trustore information in XML.

How to Customize?


To add or modify domain / keystore / trustore name in XML file:

Openssl command takes domain name and port number (default no.: 443) and management call uses org, environment, keystore, keystore-alias and domain name.Make necessary changes in respective XML file to validate any domain.

CertCheck.class refers CertFile.XML for domain list

<?xml version="1.0" encoding="UTF-8"?>
<DomainList>
	<Domain ID="1">
		<name>api.xyz.com</name>
		<port>443</port>
	</Domain>
	<Domain ID="2">
		<name>api.abc.com</name>
		<port>443</port>
	</Domain>
</DomainList>

CallManagment.class refers InternelCertDetails.XML

<?xml version="1.0" encoding="UTF-8"?>
<InternelCertsKeyStoreList>
	<Region ID="Northbound">
		<org>orgname1</org>
		<environment>prod</environment>
		<keystore>mynew-keystore</keystore>
		<keystore-alias>AllCerts-cert</keystore-alias>
		<domainname>secure.api.abc.com</domainname>
	</Region>
	<Region ID="Southbound">
		<org>orgname2</org>
		<environment>int</environment>
		<keystore>mynew-keystore</keystore>
		<keystore-alias>AllCerts-cert</keystore-alias>
		<domainname>apigateway.xyz.com</domainname>
	</Region>
</InternelCertsKeyStoreList>


To set threshold value :

Do necessary changes to defined variables in class file CertCheck.class and CallManagment.class.

private final static int WARNDAYS = 70;

To include mail id:

Add mail id's to class SendMail.class file.

To set account credential for management call:

Do necessary changes in class file CallManagment.class

Note : Apart from above, logging,other resource related path needs to be configured as per your system configuration.

Thanks & Regards,

Karthik

Topic Labels
0 Likes
Version history
Last update:
‎01-25-2017 09:13 AM
Updated by: