Does micro gateway support 2 way SSL (both north bound and south bound ) ?If yes how can we configure them ?

Not applicable
 
0 9 4,686
9 REPLIES 9

sarthak
Participant V

No I don't think so. But given it is node, you might be able to build it out. You may be able to do it by putting nginx in front of microgateway too as documented here: https://community.apigee.com/content/kbentry/20475/managing-apis-with-apigee-edge-microgateway-and-n...

Former Community Member
Not applicable

I don't think adding nginx will help with two-way SSL. It someone knows the IP/PORT of the microgateway, they can hit it directly. We'll need to setup two-SSL on microgateway directly.

As @sarthak pointed out, north bound two-ssl is not available out-of-the-box. But if you look in {install_folder}/gateway/lib/gateway.js, you can add

ca:[fs.readFileSync('ssl/ca.crt')],

requestCert:true,

rejectUnauthorized:true,

to the options to enable two-way SSL.

For regular edge deployment we put a load balancer in front of Router. If someone know IP/PORT of the router then they can hit that directly too. So exactly same logic applies here.

@sarthak

i think you are absolutely correct.

kianting-1
Participant II

does edgemicro gateway support 2way ssl now ? @Dino-at-Google @srinandans

Former Community Member
Not applicable

Yes. mTLS is supported (north and southbound).

Please start a new thread. This thread is out of date.

kianting-1
Participant II

Yes MTLS is supported just found out the answered in a few documentation link. It has 3 configuration spaces for 3 types of connection. They are as elaborated below:-

Type 1 - (between caller and edgemicro) if it is two way tls between the caller and edge micro then this is the config ( document link)

edge_config:
bootstrap:>-
https://domain/edgemicro/bootstrap/organization/org/environment/env
jwt_public_key:'https://domain/edgemicro-auth/publicKey'
managementUri:'https://api.enterprise.apigee.com'tlsOptions:
agentOptions:
requestCert:true
cert:'path/to/cert'
key:'path/to/key'

Type 2 - (between apigee edge and edgemicro) this is two way tls between the control plane of edge micro and the gateway ( documentation link)

edgemicro:
port:8000
max_connections:1000
max_connections_hard:5000
logging:
level: error
dir:/var/tmp
stats_log_interval:60
rotate_interval:24
plugins:
sequence:- oauth
ssl:
key:/MyHome/SSL/em-ssl-keys/server.key
cert:/MyHome/SSL/em-ssl-keys/server.crt
passphrase: admin123 #option added in v2.2.2
rejectUnauthorized:true#option added in v2.2.2

Type 3 - (between edgemicro and target services at client's internal network) this is two way tls between the edgemicro that is set up in the internal network talking to any target endpoint sitting on the internal network.

targets:- host:'myserver.example.com'
ssl:
client:
key:/Users/myname/twowayssl/ssl/client.key
cert:/Users/myname/twowayssl/ssl/ca.crt
passphrase: admin123
rejectUnauthorized:true

when I say client I mean your internal network

for all three types of connection to enable two way TLS you just need set "requestCert" to true. If you want to set self signed trusted certs then you need to update the "ca" property.

caPath to a file containing a list of trusted certificates in PEM format.