This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Using two-way ssl edge being client - Seems to not be sending correct key

Posted on 01-18-2018 01:35 PM
stevenboyatsis
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Playing around with two way ssl in a lab private cloud installation. I created a simple node server application that requires two-way ssl.

options = { key: fs.readFileSync(path.join(__dirname, 'example2', 'server-key.pem'))

, ca: fs.readFileSync(path.join(__dirname, 'example2', 'ca-crt.pem'))

, cert: fs.readFileSync(path.join(__dirname, 'example2', 'server-crt.pem'))

, requestCert: true , rejectUnauthorized: true };

I have some console code that will print out the subject CN of the client cert that is sent.

console.log(new Date()+' '+ req.connection.remoteAddress+' '+ req.socket.getPeerCertificate().subject.CN+' '+ req.method+' '+req.url);

I configured my keystore and truststore in edge . I've uploaded two client keys . CN (client1 and client2). I created one proxy in edge and would modify what client key to use. At one point I was seeing the expected behavior in my node server logs with the correct CN client1 or client2 depending on my proxy code. I have since made some changes to the names of my key and trust store. Now from a node server console log only client2 seems to be used. I've restarted message-processor and management-server but not seeing the correct CN in my server logs. Always sending the client2 key.

Has anyone seen this behavior? Wondering if some caching is occuring and I need to restart any other apigee services?

Thanks.

0 3 299
Topic Labels
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
davissean
Staff
Reply posted on --/--/---- --:-- AM

Mutual TLS will be terminated at the Router in Apigee, so this information will not be available in NodeJS.

You should check out the docs here: https://docs.apigee.com/api-services/content/creating-virtual-host which will show you how to create a VirtualHost that expects the client certificate.

0 Likes

Posted on --/--/---- --:-- AM
stevenboyatsis
Bronze 1
Bronze 1
In response to davissean
Reply posted on --/--/---- --:-- AM

Thanks for comment. In my test case the target endpoint is enforcing two-way SSL so my proxy in apigee is a client. I think what you are referring to is if I configured Edge as the server enforcing two-way SSL. I understand what you are saying in that case. The API proxy code I'm using is :

Target Connection code:

<HTTPTargetConnection>

<SSLInfo>

<Enabled>true</Enabled>

<ClientAuthEnabled>true</ClientAuthEnabled>

<KeyStore>ref://twowaysslclientkeysref</KeyStore>

<KeyAlias>client1keyforstevebservice</KeyAlias>

<TrustStore>ref://nonstandardtruststoreref</TrustStore>

</SSLInfo>

<URL>https://libp45p-16591wl.mis.lmig.com:8443</URL>

</HTTPTargetConnection>

My keystore has 2 client keys in it the CN for the 2 keys are named client1 and client 2. The target endpoint https://libp45p-16591wl.mis.lmig.com:8443 . Is enforcing 2 way ssl it also has some code in it to print out the CN of the client key that is sent. What I'm noticing is only client2 key is being sent. I'll change my proxy code to use a KeyAlias of client1key.... or client2key but seems only client2 key is being sent. I'll try adding a 3rd key to the keystore with a totally different CN value and see if I can get that one sent.

I did some further testing. If I put each key in a separate key store, 1 cert/key pair per key store, I get expected results where the server code is getting the different keys. Seems it may be a bug so I opened up a support ticket.

0 Likes

Posted on --/--/---- --:-- AM
davissean
Staff
In response to stevenboyatsis
Reply posted on --/--/---- --:-- AM

Apologies! I understand. Seems like a product limitation, I hope support can provide some insight.

Many thanks

0 Likes