This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

I am evaluating this product and is looking for WS* security as I have use case where soap message signing and verification is prominent. Is there any support from apigee on this. secondly do u know whether is api gee can be rightfully placed in dmz zone

Posted on 09-23-2014 09:47 PM
Not applicable
Reply posted on --/--/---- --:-- AM
 
Solved Solved
1 4 744
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

It's really a question of your own security practices and the solution design tradeoffs you'll need to make that would determine if this should go into your dmz. Apigee is fully PCI compliant, which means that it has gone through rigorous security testing. Please let us know of any specific security concerns and we'll let you know if it is an issue.

View solution in original post

Jump to Solution
0 Likes
4 REPLIES 4

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

There is no "out of the box" support for WS* security. This would need to be implemented as part of a proxy using a combination of Service Callouts and Extract Variables/Assign Message policies.

Can you provide some context as to why you would want to put Apigee in your dmz?

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Not applicable
In response to
Reply posted on --/--/---- --:-- AM

@Michael Malloy Can you please explain further - what combination of Service Callouts and Extract/Assign messages - will be required to support WS security ? I have the following assumption : The Service Callout - is a JAVA callout - which takes SOAP message - and signs it - sends back an updated SOAP message to Edge - which can then just be passed on to the backend. Is there a known github repository that has this logic implemented ? Any insights on this - would be helpful... as this is rather complex.

Jump to Solution

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

Thanks for the response Michael. We have a B2B gateway product which currently resides in DMZ. Mostly we will replace it with API GEE to extend B2B services as API to non business partners as well. Is API GEE a good fit for DMZ or it should be in trusted zone? If DMZ then what makes it a good candidate for DMZ

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

It's really a question of your own security practices and the solution design tradeoffs you'll need to make that would determine if this should go into your dmz. Apigee is fully PCI compliant, which means that it has gone through rigorous security testing. Please let us know of any specific security concerns and we'll let you know if it is an issue.

Jump to Solution
0 Likes