This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Mutual TLS with ServiceCallout and TargetServer

Posted on 02-05-2021 07:27 AM
roberthoppe
New Member
Reply posted on --/--/---- --:-- AM

Hi Guys,

I have to ask since it feels weird for me. On Target Servers there is the Option "Enable Two-way TLS (Client Authorization). So from my point of view this should be enough to setup a Mutual TLS connection to the destination.

But the following code within my TargetEndpoint isn't working:

    <HTTPTargetConnection>
        <Properties>
            <Property name="request.retain.headers">Host</Property>
            <Property name="request.retain.headers.enabled">true</Property>
        </Properties>
        <LoadBalancer>
            <Server name="my_server_v1"/>
        </LoadBalancer>
        <Path>/some_path</Path>
    </HTTPTargetConnection>

But when I provide the SSL info its working:

    <HTTPTargetConnection>
        <Properties>
            <Property name="request.retain.headers">Host</Property>
            <Property name="request.retain.headers.enabled">true</Property>
        </Properties>
        <SSLInfo>
            <Enabled>true</Enabled>
            <ClientAuthEnabled>true</ClientAuthEnabled>
            <KeyStore>ref://on-prem.myrz</KeyStore>
            <KeyAlias>myapi-apigee-edge.myrz</KeyAlias>
        </SSLInfo>
        <LoadBalancer>
            <Server name="my_server_v1"/>
        </LoadBalancer>
        <Path>/some_path</Path>
    </HTTPTargetConnection>

Shouldn't that be handled transparently since I've enabled Mutual TLS already on the TargetServer "my_server_v1 Level? Feels for me duplicated and therefore I think I did something wrong.

Help appreciated guys ... goal is that I just set with my scripts the Mutual TLS on the TargetServer level which helps me to parametrise some shared flows and therefore I can reuse them.

0 6 205
Topic Labels
0 Likes
6 REPLIES 6

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

can you share the target server configuration what you are doing?

0 Likes

Posted on --/--/---- --:-- AM
roberthoppe
New Member
Reply posted on --/--/---- --:-- AM

Here is the TargetServer configuration and what I do is to setup there the Two-way TLS (Mutual TLS). So I thought we don't need this within the SSLInfo which feels duplicate ... is there a way to tell: "use the settings of the TargetServer"?

10774-cleanshot-2021-02-05-at-170733.png

0 Likes

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

You have enabled Two way TLS and didn't configure the truststore. It is a required one. May be because of that you are facing issue.

Posted on --/--/---- --:-- AM
roberthoppe
New Member
Reply posted on --/--/---- --:-- AM

But neither I do at:

 <SSLInfo>
            <Enabled>true</Enabled>
            <ClientAuthEnabled>true</ClientAuthEnabled>
            <KeyStore>ref://on-prem.myrz</KeyStore>
            <KeyAlias>myapi-apigee-edge.myrz</KeyAlias>
        </SSLInfo>

So there is also no Trust Store configured.

0 Likes

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

Yes, I understand that you are not configuring in proxy, but if a default one is there, may be that is going like that.

But according to concept, in mtls truststore is required.

I would suggest to try with truststore.

I still doubt it's mutual TLS. Can you try a curl request from the message processor to the backend and see what you are getting.

Posted on --/--/---- --:-- AM
roberthoppe
New Member
Reply posted on --/--/---- --:-- AM

The concept of Mutual TLS requires only a trust store if the Certificate is not singed by an official CA. In that case its signed by an official CA, so there is no need for it.

Thanks for the tip with curl => I gonna test that.

0 Likes