Accessing Apigee Truststore and Keystore in the AP...

Report Inappropriate Content · 11-03-2015 02:58 AM

Hi

I need to implement and develop some token encryption and validation inside my API Proxy. I can upload my private key and public key into Apigee keystore/trust store. However there is no policy (except the SAML Assertion Policy) to allow me to access the apigee Keystore/Truststore.

Is there any alternative solution around this? or can I upload my API Proxy bundle with the JKS and not use APIGEE JKS?

Thanks,

Reza

mschreuder

Hi @reza.motevallizadeh I was wondering if this Community question "Is it possible to access SSL key store and trust store from Java?" might help with your question?

remeeshnair

You can embed your own JKS as a jar file in the API Proxy bundle, use java callout to refer it.

Report Inappropriate Content

@Remeesh

Have you tried this? and is this safe method to handle production keys? Does slow done my api proxy, as it has to read each time from the jks file when it wants to perform signing or encryption?

Thanks,

Reza

remeeshnair

Personally I haven't tried this option, but someone from our development team had successfully embedded a JKS in the jar file and done the message signing using the certificates embedded through java. He called the jar through java callout policy. If I get hold of the details, will update you. One more thing is you have to keep a reminder somewhere to change the cert on expiry.

Report Inappropriate Content

@Remeesh looks like this is my option too. I am going to give it a go.

Thanks.

Reza

Report Inappropriate Content

@mschreuder Thanks for your reply.

I have uploaded my Priv/Pubs keys in Apigee Edge (http://apigee.com/docs/api-services/content/keystores-and-truststores). And after that there is no policy or script which allows me to access them.

As an example when you look at http://apigee.com/docs/api-services/reference/saml-assertion-policy, you can see, there is a way to reference your keystore and key alias.

<GenerateSAMLAssertion name="SAML" ignoreContentType="false"> 

<KeyStore> 

	<Name ref="reference">keystorename</Name> 

	<Alias ref="reference">alias</Alias> </KeyStore>  

</GenerateSAMLAssertion>

However I couldn't find any solution for non SAML stuff.

Thanks,

Reza

Abhishek_Subram

Here is a link that talks about how to retrieve keystore content using Management API - https://community.apigee.com/questions/11373/is-there-a-way-to-read-load-public-key-string-or-p.html....

But this is available only in the latest Edge version. You will still need use Java callout to perform signing.

Report Inappropriate Content

Hi @Abhishek

I have read this topic. Looks like this is an option to get the public key out. But I need my private key to sign + encrypt my message.

Thanks

Reza

aldoloria

Is it still no other option than calling the management api ?

I was wondering since the documentation says that is possible to use ECDSA as signing alghoritm:

https://cloud.google.com/apigee/docs/api-platform/reference/policies/jwt-policies-overview#ecdsa-alg...

But show no options to use the keystores as key

Accessing Apigee Truststore and Keystore in the API Proxy