This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Apigee can Passthrough the client certificate(requests) to a backend server

Posted on 08-27-2023 10:13 PM
Azam
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I have one API Proxy which is use for only passing through the requests to backend. my question-If the customer send one certificate while hiting(as request) my proxy and same certificate need to pass backend server.  Backend server will validate the certificate and send response back to apigee and apigee will pass same respone to customer. Please help me what change is required for this. 

Flow : Client -----(request body+certificate)--------> APIGEE--(same will passthrougt)------------>Backend server (validate the certificate and if the certificate is corrent will send response else send error).

demo certifiate we got from customer: 

sample cetrificatesample cetrificate

 

 

 

 

 

1 4 496
Topic Labels
4 REPLIES 4

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

-If the customer send one certificate while hiting(as request) my proxy and same certificate need to pass backend server.

I am assuming by "send one certificate", you mean the client is authenticating itself over TLS, with an x509 certificate. This is often called "mutual authentication" or "2-way TLS authentication". In 2-way authentication, each peer (client and Apigee) identify themselves with an x509 cert, and each peer validates the other peer's certificate.

If this is what you are talking about, then yes, You can configure Apigee to do that, but you need to be aware of some caveats.

1. It's different for Apigee X, Apigee hybrid, and Apigee Edge. I'll make the rest of my comments about Apigee X.

2. Apigee X receives the raw client cert in a context variable. tls.client.raw.cert . (source) As far as I am aware, this is not the full certificate chain. It's just the tail certificate. If you wanted your Apigee proxy to send this to the upstream system, you could inject a header, or transmit it in some other way.

3. This is not the same as using the client's certificate to authenticate over TLS to the upstream. Apigee will use it's own TLS configuration to authenticate to the upstream. The client cert would be extra data that would be propagated at the application layer. If you are imagining Apigee to initiate a TLS connection using the client's cert.... no, that is not possible. Apigee does not possess the client's cert+key and cannot "impersonate" the client to the upstream system. That would be insecure.

Last thing - I wonder if there are better ways to do what you are describing. Are you sure you need to do what you're describing?

What's the real goal? Beyond "propagate the TLS cert of the client", what are you really trying to achieve?

0 Likes

Posted on --/--/---- --:-- AM
Azam
Bronze 1
Bronze 1
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

Existing flow: Client ---> middileware system ---> backend

In our existing flow we have few customer they are sending certificate with request body and middleware system will validate that certificate and  incase of valid certificate will connect to backend and send back success response.   (existing flow middleware system doing the client authentication and this flow will remain same) only we wnated to use apigee in beatween client and middileware as below

Goal: we want to add Apigee beatween Client <--->Apigee<---->middleware<--->Backend

Note: we just wnated to use few apigee feature like Quota, spikearrest,monitoring etc and we don't want any kindy of authentication in apigee end only apigee will passthrouth the client request to middleware system.

So Apigee can passthrough the client request(request body + certificate[this certificate will validate by middleware ]) to middleware system? 

 

0 Likes

Posted on --/--/---- --:-- AM
Azam
Bronze 1
Bronze 1
In response to Azam
Reply posted on --/--/---- --:-- AM

waiting for your answare on above mentioned query. please help me

0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to Azam
Reply posted on --/--/---- --:-- AM

So Apigee can passthrough the client request(request body + certificate[this certificate will validate by middleware ]) to middleware system?

No. As I explained above, Apigee acts as an HTTP Reverse proxy. In a transaction that is mediated by Apigee, the client connects to Apigee, Apigee connects to the upstream (backend) system. This is exactly parallel with your existing system, with Apigee taking the role of "middleware system".

As I explained in my initial reply, Apigee cannot "impersonate" the client to the middleware system. It cannot "pass through" the client transport security to your existing middleware system.  Apigee CAN pass the client cert to its upstream, as i explained above. But this would be in the form of an HTTP header.  It would not be transport-layer security.  The middleware system would need to validate the PEM-encoded cert as passed in the HTTP header. 

Maybe you can use Apigee to REPLACE your middleware system. Obviously Apigee can also validate client certificates at the transport layer. If that's all your existing middleware system is doing, and if you want to add other capabilities like rate limiting or monitoring, then.... why not let Apigee do it all?

 

0 Likes
Top Solution Authors
View all