We have a requirement where we need to extract incoming request's cert info like serial no, cn, dn & send them on the south bound req headers during runtime. I did a POC to see if it is possible to get cert info on the proxy, looks like it is possible by using a management api in a service callout and get the cert info. However wanted to check if there is a better way or recommended way to do this other than using mgmt API. Is it okay to call a mgmt api to get cert info in this case? How to identify the incoming request's cert from keystore?
Solved! Go to Solution.
Ah, when you say "incoming request's cert info" -- that's not something that you would obtain with a management API call. That is something that the Apigee Edge runtime provides for you, in the message context.
According to this documentation page, you can read client.cn, client.organization, and some other things.
I think you may also be able to read:
ssl.client.i.dn | DN of issuer of client cert |
ssl.client.i.dn.cn | common name of issuer |
ssl.client.s.dn | DN of subject |
ssl.client.s.dn.cn | common name of subject |
ssl.client.m.serial | serial number |
I have not been able to verify this on my own.
Give it a shot and tell me how it works for you.
EDIT: Just talked to someone here and they suggested you need to open a support ticket with Apigee to get these variables propagated to your API Proxies.
BTW, To make this happen, you need a vhost with 2-way TLS enabled, eg, like so:
<VirtualHost name="secure-2way"> <HostAliases> <HostAlias>api.mycustomhost.net</HostAlias> </HostAliases> <Interfaces/> <Port>443</Port> <Properties/> <SSLInfo> <ClientAuthEnabled>true</ClientAuthEnabled> <Enabled>true</Enabled> <KeyAlias>myspecialkey</KeyAlias> <KeyStore>ref://myKeystore</KeyStore> <TrustStore>myTruststore</TrustStore> <IgnoreValidationErrors>false</IgnoreValidationErrors> </SSLInfo> </VirtualHost>
Have you done that? Apigee Edge will verify the client cert if you have used a vhost like this ^^
Ah, when you say "incoming request's cert info" -- that's not something that you would obtain with a management API call. That is something that the Apigee Edge runtime provides for you, in the message context.
According to this documentation page, you can read client.cn, client.organization, and some other things.
I think you may also be able to read:
ssl.client.i.dn | DN of issuer of client cert |
ssl.client.i.dn.cn | common name of issuer |
ssl.client.s.dn | DN of subject |
ssl.client.s.dn.cn | common name of subject |
ssl.client.m.serial | serial number |
I have not been able to verify this on my own.
Give it a shot and tell me how it works for you.
EDIT: Just talked to someone here and they suggested you need to open a support ticket with Apigee to get these variables propagated to your API Proxies.
BTW, To make this happen, you need a vhost with 2-way TLS enabled, eg, like so:
<VirtualHost name="secure-2way"> <HostAliases> <HostAlias>api.mycustomhost.net</HostAlias> </HostAliases> <Interfaces/> <Port>443</Port> <Properties/> <SSLInfo> <ClientAuthEnabled>true</ClientAuthEnabled> <Enabled>true</Enabled> <KeyAlias>myspecialkey</KeyAlias> <KeyStore>ref://myKeystore</KeyStore> <TrustStore>myTruststore</TrustStore> <IgnoreValidationErrors>false</IgnoreValidationErrors> </SSLInfo> </VirtualHost>
Have you done that? Apigee Edge will verify the client cert if you have used a vhost like this ^^
Thanks for the pointers Dino, will try this and let you know how it went.
Hi @Arvind Velumani, we have similar requirement to validate the client certificate's UID/Serial number. Were you able to validate @Dino's suggestions ?
Yes it works. We were able to get cert info like serial no propagated to proxies. As suggested, by a support ticket to expose serial number other variables you need. Thanks @Dino
Thanks @Arvind Velumani for the confirmation.
Please note that the latest documentation for this is available at:
https://docs.apigee.com/api-platform/system-administration/tls-vars
Thanks. This helped.
User | Count |
---|---|
2 | |
1 | |
1 | |
1 | |
1 |