This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

2 way TLS for edge and unique cert per client

Posted on 12-07-2017 12:09 PM
Not applicable
Reply posted on --/--/---- --:-- AM

We currently have two proxies in apigee edge cloud:

  1. /proxyA : is IP restricted to our corporate’s IPs
  2. /proxyB: is api-key based authentication

We have existing consumers using the above proxies (myorg.apigee.net) for different features that we have exposed.

We will be adding a new endpoint (or proxy) that allows vendor(s) to POST data to us. The requirement that we have is to use TLS to secure it, but also need to make sure that adding a cert based authentication for the new vendor proxy doesn’t affect existing proxies/users.

We are trying to understand what/how the proper implementation should be on apigee edge cloud.

Let’s suppose we need to support additional vendors, so instead of adding a new proxy per each vendor, we could potentially setup one proxy for all vendors and ID them as follows :

  • /vendor/{vendor-id}/{type-of-data}

So we need help getting the following clarified:

  1. Is it possible to have a unique client certificate per each vendor?
  2. Does it have to one certificate per proxy ?
  3. Can this be done without affecting the consumers accessing existing proxies?
  4. How to go about setting this up ?

Thanks!

Anand

0 1 322
Topic Labels
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

Find the answers below

Is it possible to have a unique client certificate per each vendor?

Yes, you need to create a Virtual Host with 2-way SSL configuration. If the client uses a non-CA (Certificate Authority) then the cert needs to be added in Apigee Trust store.

Does it have to one certificate per proxy ?

No, One client certificate can be used for multiple proxies. When the API proxy developer deploys a proxy, specific virtual host name needs to be used in the API proxy definition file.

Can this be done without affecting the consumers accessing existing proxies?

Yes, One proxy can be deployed on multiple Virtual Hosts. Current clients can continue to use the existing Virtual Host to access the API and new 2-way TLS clients can use the new Virtual Host.

How to go about setting this up ?

Find the documentation here https://docs.apigee.com/api-services/content/creating-virtual-host#creatingavirtualhostthatuseshttps

0 Likes