This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Encryption-Decryption in APIGEE

Posted on 11-10-2015 10:59 PM
mytre4411
New Member
Reply posted on --/--/---- --:-- AM

When we get an encrypted request to our APIGEE API Proxy ,and we want APIGEE proxy to decrypt it before letting it to reach backend,should we use SSL so that Encryption-Decryption happens through keys in certificates for such requirement?

Or We have to randomly create keys as we get AESEncryptionDecryption java programs and use Javacallout in APIGEE policy? Or is there any other better design solutions?

0 5 1,930
Topic Labels
0 Likes
5 REPLIES 5

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

SSL is the best low maintenance method of transport layer security you can use.

You can expose only HTTPS endpoint from your proxy to the users. This will ensure your client to proxy traffic is encrypted. The Target endpoint can be plain HTTP.

Following is the good starting point for the same.

http://apigee.com/docs/api-services/content/ssl

0 Likes

Posted on --/--/---- --:-- AM
mytre4411
New Member
In response to
Reply posted on --/--/---- --:-- AM

Thanks for your response @sriki77.I will go through the link you have shared.

So,if the requirement is like,Communication between client and APIGEE API Proxy is encrypted data and between APIGEE and Backend is cleartext,

we can have One-way SSL where client sends encrypted data using Edge Public key and decryptes the data received in response using Edge's Public key.Hope my understanding is correct.I hope mutual authentication is not required in this case.Please correct if wrong.

In the other hand,for what kind of requirement we should go for javacallout as mentioned in https://community.apigee.com/questions/6179/encryption-decryption-policies.html.

0 Likes

Posted on --/--/---- --:-- AM
sarthak
New Member
Reply posted on --/--/---- --:-- AM

@Subbu ... JavaCallout option is useful if the payload is fully or partially encrypted.

If you are transporting over HTTPS the request will terminate at Apigee and inside Apigee it will be cleartext before it is again transmitted over HTTPS while going to the backend.

But the actual payload can be encrypted as well. You can only have a few critical fields encrypted, or the whole payload can be encrypted by the application before transmission. And if it is needed that Apigee needs to intercept and manipulate those payloads then using Java callout you can achieve that.Hope that makes sense.

If requirement is only encrypting the payload only SSL will do. Mutual SSL or 2 way SSL is an authentication mechanism. You will need that only if both the client and server needs to authenticate each other.

One thing confuses me though. You mentioned that communication between Apigee and backend is cleartext. Why is that ? I would ideally imagine that communication over SSL as well since the communication between client and Apigee is over SSL. Check the first diagram on this page: http://apigee.com/docs/api-services/content/using-ssl-edge

Posted on --/--/---- --:-- AM
mytre4411
New Member
In response to sarthak
Reply posted on --/--/---- --:-- AM

@sarthak

Thanks for your explanation.I understood clearly..

Regarding the first picture in the link you shared,looks pt.4 is used only by Edge cloud customers.

I think its only between untrusted applications.

But for us ,both APIGEE(OnPremise) and backend are in Trusted network hence SSL is not required.

0 Likes

Posted on --/--/---- --:-- AM
sarthak
New Member
In response to mytre4411
Reply posted on --/--/---- --:-- AM

ok, makes sense.

0 Likes