Solved: Specifying SSLInfo KeyAlias per Environment

Anthony_Coelho · 03-24-2016 02:49 PM

If you have a HTTPTargetConnection and need to specify the SSLInfo as shown in the example below, how can you specify the KeyAlias value per environment? In the example below it is set to "devKey", but in production we need to use the "prodKey" KeyAlias. Can this be set with an environment vairable of some sort?

    <HTTPTargetConnection>
        <URL>https://www.sample.com</URL>
        <SSLInfo>
            <Enabled>true</Enabled>
            <ClientAuthEnabled>true</ClientAuthEnabled>
            <KeyAlias>devKey</KeyAlias>
            <KeyStore>clientAuthKeystore</KeyStore>
        </SSLInfo>
    </HTTPTargetConnection>

sudheendras

@Anthony Coelho It's always a good practice to decouple concrete endpoint URLs (with SSL Info) from TargetEndpoint configurations. You can use TargetServer configurations to create environment-independent TargetEndpoint configurations. Instead of defining concrete URL in the configuration, you can configure one or more named TargetServers. SSLInfo along with KeyAlias also goes inside the TargetServer config. You can read about other benefits of TargetServers here - http://docs.apigee.com/api-services/content/load-balancing-across-backend-servers

Also to make API proxy configurations environment-independent, you can also use conditional statements. Conditional statement built with the environment.name variable can be used to evaluate the current environment before enforcing a policy or before routing to a URL on the backend. I suggest you read this doc page - http://docs.apigee.com/api-services/content/api-development-lifecycle for best practices and guidelines around API development lifecycle with Apigee Edge.

View solution in original post

sudheendras

@Anthony Coelho It's always a good practice to decouple concrete endpoint URLs (with SSL Info) from TargetEndpoint configurations. You can use TargetServer configurations to create environment-independent TargetEndpoint configurations. Instead of defining concrete URL in the configuration, you can configure one or more named TargetServers. SSLInfo along with KeyAlias also goes inside the TargetServer config. You can read about other benefits of TargetServers here - http://docs.apigee.com/api-services/content/load-balancing-across-backend-servers

Also to make API proxy configurations environment-independent, you can also use conditional statements. Conditional statement built with the environment.name variable can be used to evaluate the current environment before enforcing a policy or before routing to a URL on the backend. I suggest you read this doc page - http://docs.apigee.com/api-services/content/api-development-lifecycle for best practices and guidelines around API development lifecycle with Apigee Edge.

Report Inappropriate Content

Be aware that when you use target servers (which i fully endorse and use on all of our proxies) you will run into some issues w/ request flow logging: target in request flows will not be populated as you would expect - causing you to need to further customize any logging you are doing.

Anthony_Coelho

Thanks @sudheendra1. We are using TargetServers for our proxies and I was trying to get this to work with a ServiceCallout. I ended up using the conifugration below, which works perfectly.

    <HTTPTargetConnection>
        <LoadBalancer>
            <Server name="TargetServerName"/>
        </LoadBalancer>
        <Path>/path</Path>
    </HTTPTargetConnection>

Report Inappropriate Content

@sudheendra1, you mentioned above answer "SSLInfo along with KeyAlias also goes inside the TargetServer config". Does it mean that SSLInfo also can configured under Environment Configuration --> Target Server instead of directly hard code directly under Target Enpoints --> default ? If so, how to do that ?

adas

@Anthony Coelho We introduced a feature in the last cloud release whereby you could have variable references for keystore, keyalias etc. Please use that feature if you want to have these names dynamically set. The documentation is available here:

http://docs.apigee.com/release-notes/content/160120-apigee-edge-public-cloud-release-notes.

Here's an example. You can create a target endpoint definition like this:

<HTTPTargetConnection>
    <URL>https://api.mytarget.com</URL>
    <SSLInfo>
      <Enabled>{myvars.ssl.enabled}</Enabled>
      <ClientAuthEnabled>{myvars.ssl.client.auth.enabled}</ClientAuthEnabled>
      <KeyStore>{myvars.ssl.keystore}</KeyStore>
      <KeyAlias>{myvars.ssl.keyAlias}</KeyAlias>
      <TrustStore>{myvars.ssl.trustStore}</TrustStore>
    </SSLInfo>
  </HTTPTargetConnection>

Now you can have these variables defined in an assignMessage policy like this:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AssignMessage async="false" continueOnError="false" enabled="true" name="SetTargetVariables">
  ...

  <AssignVariable>
  <Name>target.url</Name>
  <Value>https://api.dev.com</Value>
  </AssignVariable>

  <AssignVariable>
  <Name>myvars.ssl.enabled</Name>
  <Value>true</Value>
  </AssignVariable>

  <AssignVariable>
  <Name>myvars.ssl.client.auth.enabled</Name>
  <Value>true</Value>
  </AssignVariable>

  <AssignVariable>
  <Name>myvars.ssl.keystore</Name>
  <Value>keystoredev</Value>
  </AssignVariable>

  <AssignVariable>
  <Name>myvars.ssl.keyAlias</Name>
  <Value>aliasdev</Value>
  </AssignVariable>

  <AssignVariable>
  <Name>myvars.ssl.trustStore</Name>
  <Value>truststoredev</Value>
  </AssignVariable>

  <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
  <AssignTo createNew="false" transport="http" type="request"/>
</AssignMessage>

What you could also do is to have a condition which evaluates the environment your calling is running in and based on that populate the correct variables. The environment name is populated in the flow variable "environment.name".

I hope this works. Please try it out and accept this answer if it helps resolve your query.