This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Unable to access TLS flow variable in Edge

Posted on 05-22-2021 05:59 AM
arjunkalikota
New Member
Reply posted on --/--/---- --:-- AM

Hi,

I want to get client certificate serial number in java script policy, for client.cn values are retrieved but get null always for tls.client.cert.serial.

Please let us know what is missing.?

I have configured below code in proxy endpoint default xml.

<HTTPProxyConnection>
        <BasePath>/v1/path</BasePath>
        <Properties/>
	<VirtualHost>TLSVHOST</VirtualHost>
	<PropagateTLSInformation> 
		<ConnectionProperties>true</ConnectionProperties>
		<ClientProperties>true</ClientProperties>
	</PropagateTLSInformation>
</HTTPProxyConnection>

code in java script.

var sn = context.getVariable("tls.client.cert.serial");
var cn = context.getVariable("client.cn");

Trace output

11021-tempsnip.png

0 8 100
Topic Labels
0 Likes
8 REPLIES 8

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

Please refer the correct variable in the flow.

https://community.apigee.com/questions/49160/identifying-and-accessing-cert-info-within-a-proxy.html

Posted on --/--/---- --:-- AM
arjunkalikota
New Member
In response to
Reply posted on --/--/---- --:-- AM

Hi Priyadarshi,

Thanks for quick response.

The reference link provided looks old and latest variables are in below link. Which is provided in the same post.

https://docs.apigee.com/api-platform/system-administration/tls-vars

Also did tried with these variables and get same null

0 Likes

Posted on --/--/---- --:-- AM
Not applicable
In response to arjunkalikota
Reply posted on --/--/---- --:-- AM

I am using 4.19.06 and I am getting

0 Likes

Posted on --/--/---- --:-- AM
arjunkalikota
New Member
In response to arjunkalikota
Reply posted on --/--/---- --:-- AM

Hi Priyadarshi,

We are using public cloud account with version "21.03.10". Does it means public cloud don't support these flow variables.?

0 Likes

Posted on --/--/---- --:-- AM
Not applicable
In response to arjunkalikota
Reply posted on --/--/---- --:-- AM

public cloud has properties but minor changes in the reference name is expected.

0 Likes

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

I got the issue.

You have added the configuration in proxy endpoint code. This should be added to your virtual host configuration.

Ref: https://docs.apigee.com/api-platform/system-administration/tls-vars

0 Likes

Posted on --/--/---- --:-- AM
arjunkalikota
New Member
In response to
Reply posted on --/--/---- --:-- AM

Yes.!! I have configured to virtual host now and its working. 🙂

I have another issue now.

"oCSPStapling" = on

Would like to know how this works.? I am testing with revoked certificate and still getting 200 OK response.

How do I check the response of oCSPStapling.

0 Likes

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

stapling helps but not very much effective in case of onprem which cannot connect to CA to check the revoke status.

In that case we are doing one round of verification. We have implemented one KVM and in the KVM the key is the certificate serial number and value is approved or revoked. If any certificate is revoked we change respective KVM value to revoked. And nest one raise fault policy is attached which will throw the error of revoked certificate if the value is revoked.

That helps us to enable and verify the Mutual TLS effectively.

0 Likes