This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Mutual SSL set up for Inbound request in apigee Hybrid

Posted on 08-24-2021 06:56 PM
dpatty
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Hi, I have to set up MTLS in apigee hybrid for inbound request. I have done it in saas and opdk. But I am learning Hybrid model. Since host alias are defined in environment group level. Could some one please help me understanding how to configure MTLS between consumer and apigee also manage multiple client certificate. 

Thanks, 

Patty

0 3 872
Topic Labels
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
Former Community Member
Not applicable
Reply posted on --/--/---- --:-- AM

In the overrides.yaml file, add a stanza like this

virtualhosts:
  - name: internal # environment group name
    minTLSProtocolVersion: "1.2"
    maxTLSProtocolVersion: "1.3"
    tlsMode: MUTUAL
    sslSecret: my-tls-secret # k8s secret name in istio-system namespace

Read more about overrides configuration here.

 

0 Likes

Posted on --/--/---- --:-- AM
dpatty
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Hi Srinandans, 

Thanks for your reply. Does Hybrid provides UI to configure this like saas or opdk has edge UI. Also suppose multiple clients are coming from different CA root then how to configure all client cert and does it required restart of the server. 

 

Thanks, 

Patty

Posted on --/--/---- --:-- AM
Former Community Member
Not applicable
In response to dpatty
Reply posted on --/--/---- --:-- AM

No, Apigee does not provide a UI to configure this. The Ingress (somewhat equivalent to the Router component in OPDK) is customer managed with Apigee hybrid. Customers configure the Ingress by configuring Kubernetes directly (in this case by creating a Kubernetes secret).  Apigee hybrid uses Anthos Service Mesh (Istio) as the Ingress. 

mTLS is achieved by a two step process:

  1. A generic Secret with keys key and cert
  2. A separate generic Secret named <secret>-cacert, with a cacert key. For example, if my-tls-secret has key and cert, then my-tls-secret-cacert has cacert

Once you have setup these secrets (in the istio-system namespace), configure the overrides.yaml as shown above and use apigeectl to configure Kubernetes.

In your case, the cacert file contains all the CA certs you wish to trust.

0 Likes
Top Solution Authors
View all