This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Google Cloud
- Articles & Information
- Cloud Product Articles
- Mutual TLS implementation in onprem Apigee to acce...
Topic Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
LinkedIn
Twitter
Not applicable
Topic Options
- Article History
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
0
0
470
Hi all,
This article I have prepared after long research and continuous testing of mutual TLS for API call.
Mutual TLS is also called as Two way TLS/SSL. In mutual TLS both client and server verify each others certificate. That's why both store each other's public certificate. For mutual TLS you need both keystore and truststore. In the keystore Apigee virtual host certificate and private key are stored. In the truststore the client's specific certificate is stored. Apigee needs the client certificate, intermediate chain certificate, and the root certificate in the sequential order as specified in a single file or in a different one each. Both keystore, and truststore are configured in the virtual host. If you directly specify the name then for each modification or addition of new certificate the routers need to be restarted which is a challenge in production. To avoid the restart Apigee document suggests using a reference instead of configuring keystore and truststore name directly. The below document specifies more on reference use.
https://docs.apigee.com/api-platform/system-administration/configuring-ssl-edge-backend-service
The same to reflect in api call requires the routers to restart after the change. Then after still whenever you add a new certificate to the truststore it will be required to restart the routers to reflect the changes. To avoid the routers restart don't add the certificates manually using Edge UI. You should add the certificates of client to the truststore using Apigee management API call. The below document specifies the process to add the same.
Then after instead of restarting the routers, do refresh to the truststoore reference using the PUT management API call. Reference to that is below link
https://docs.apigee.com/api-platform/system-administration/working-references
curl -X PUT -H "Content-Type:application/xml" https://api.enterprise.apigee.com/v1/o/{org_name}/e/{env_name}/references/keystoreref \ -d '<ResourceReference name="keystoreref"> <Refers>myNewKeystore</Refers> <ResourceType>KeyStore</ResourceType> </ResourceReference>' -u orgAdminEmail:password
Once the above call is done, you need not restart the routers after adding any certificate.
But if you are deleting any certificate then you need to restart the routers, until then the API call is possible with the particular certificate.
Hope this will help in mutual TLS implementation.
Topic Labels