Solved! Go to Solution.
its a ssl handshake failure,
Have you configured 2-way SSL at amazon? in that case, you need to configure Targetendpoint to use 2-way SSL.
If not, maybe the amazon certs are not trusted at Apigee. You need import those certs to Apigee's truststore.
More info here,
http://apigee.com/docs/api-services/content/keystores-and-truststores
http://apigee.com/docs/api-services/content/configuring-ssl-edge-backend-service
Thanks,
From what I'm discovering, it appears that the Gateway API requires TLSv1.2 (maybe 1.1) and SNI.
Here's a relevant conversation: https://forums.aws.amazon.com/thread.jspa?threadID...
According to these release notes, Apigee cloud supports SNI: http://apigee.com/docs/release-notes/content/15041...
Do I need to request for it to be enabled for my org? Will this impact other backend services that do not require SNI?
I have attempted to create a TrustStore and add an SSLInfo element, but I've had no luck. Here it is just so we can move on:
<SSLInfo> <Enabled>true</Enabled> <ClientAuthEnabled>true</ClientAuthEnabled> <KeyStore>freetrial</KeyStore> <KeyAlias>freetrial</KeyAlias> <TrustStore>apistation_co</TrustStore> </SSLInfo>
I have a hard time believing that this is the issue (or the accepted fix). The Gateway API provides default endpoints if one chooses not to add custom domains (ex.; https://xxxxxxxxx.execute-api.us-west-2.amazonaws.com/). Since I'm using Apigee, I would prefer to use the defaults. I have to assume that AWS is not making it difficult to hit their Gateway endpoints.
Would it be possible to skip the back-and-forth with me (as I'm fairly slow) and you guys attempt to connect to a Gateway API endpoint? I can even provide one.
<TrustStore>apistation_co</TrustStore>and try once? It could also be the full cert chain is not available in Truststore. This will help eliminate that possibility Pls share the details, i am hoping you have already configured 'freetrail' at Amazon for the 2-way ssl Thanks,
I am having a similar issue. Uploaded the whole chain of certs to the truststore. No Success.
Do i need to reach out the Apigee support to enable SNI for my Edge subscription?
Yes @Mudit.P, reachout to support - Fyi, SNI is not supported for the free accounts, its only available for SMB and Enterprise accounts
Thanks @Mukundha Madhavan is it not enabled by default for enterprise accounts ?
yes @Mudit.P, its not enabled by default, pls contact support
@Mukundha Madhavan SNI is not available for SMB customer and Apigee Developer customers. Its available only for Enterprise customers.
Enforce the TLS1.2 in the protocol element in the SSLInfo.
As AWS does not accept any lower protocols. I had a similar issue and got it resolved today.
Example:
<HTTPTargetConnection>
<SSLInfo>
<Enabled>true</Enabled>
<Protocols>
<Protocol>TLSv1.2</Protocol>
</Protocols>
<TrustStore>truststore</TrustStore>
</SSLInfo>
<URL>https://dev1.social.com/svc/social/2.0/rest</URL>
</HTTPTargetConnection>
User | Count |
---|---|
2 | |
1 | |
1 | |
1 | |
1 |