{ Community }
  • Academy
  • Docs
  • Developers
  • Resources
    • Community Articles
    • Apigee on GitHub
    • Code Samples
    • Videos & eBooks
    • Accelerator Methodology
  • Support
  • Ask a Question
  • Spaces
    • Product Announcements
    • General
    • Edge/API Management
    • Developer Portal (Drupal-based)
    • Developer Portal (Integrated)
    • API Design
    • APIM on Istio
    • Extensions
    • Business of APIs
    • Academy/Certification
    • Adapter for Envoy
    • Analytics
    • Events
    • Hybrid
    • Integration (AWS, PCF, Etc.)
    • Microgateway
    • Monetization
    • Private Cloud Deployment
    • 日本語コミュニティ
    • Insights
    • IoT Apigee Link
    • BaaS/Usergrid
    • BaaS Transition/Migration
    • Apigee-127
    • New Customers
    • Topics
    • Questions
    • Articles
    • Ideas
    • Articles
    • Ideas
    • Leaderboard
    • Badges
  • Log in
  • Sign up

Get answers, ideas, and support from the Apigee Community

  • Home /
  • Edge/API Management /
avatar image
1
Question by Dino · Apr 20, 2016 at 07:53 PM · 475 Views sslvirtual hosttls2-way ssl

Can Apigee configure a secure vhost to request but not require a client-side certificate?

With a network device like F5 BigIP, it is possible to configure an endpoint to request, require or ignore a client cert. In the require state, the F5 rejects the TLS handshake when the client does not present a cert (and may reject even if the client does present a cert, if the CA is wrong , or if the CN is not as required, if expired, etc). In the ignore state, any client cert is ignored by the F5 device.

In the “request” option, F5 asks for a cert, and the client may or may not present one. The F5 can be configured to allow or not allow, depending on the contents of the cert.

The question is, Can Apigee Edge be configured to request-but-not-require a client-side cert? I would like Apigee Edge to validate the cert against a specific CA, but not reject the connection if the cert is expired, if the cert has the "wrong" CN, or even if the cert is not present.

Is this possible?

I know that Apigee Edge uses nginx for the front-side router.

The nginx http ssl module has the ssl_verify_client parameter.

http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_verify_client

It supports : on | off | optional | optional_no_ca

Can the Apigee Edge public cloud be configured with any of these options?

Maybe @corinna fu has some information?

Comment
Add comment Show 3
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image pbhogill ♦ · May 09, 2016 at 12:59 AM 0
Link

@Joel D'sa

avatar image tundriyal pbhogill ♦ · Aug 26, 2019 at 01:27 PM 0
Link

Can Apigee Edge public cloud be configured with any of these options?

avatar image Dino-at-Google ♦♦ tundriyal   · Sep 30, 2020 at 06:19 PM 0
Link

See my answer below.

Close

4 Answers

  • Sort: 
avatar image
2
Best Answer

Answer by Dino-at-Google   · Aug 26, 2019 at 07:09 PM

Apigee Edge public cloud can be configured with OFF and ON, but Not "optional" today.

Comment
Add comment Show 2 · Link
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image Akshaya Mangaraj · Sep 30, 2020 at 05:49 AM 0
Link

What is the virtual host parameter to configure that? is it applicable for 2-way client auth enabled and cert presented by client?

avatar image Dino-at-Google ♦♦ Akshaya Mangaraj   · Sep 30, 2020 at 06:18 PM 0
Link

In Apigee, the analogue to verify_client ON is ClientAuthEnabled. Check the documentation for the VirtualHost for details.

avatar image
0
Wiki

Answer by Priyadarshi Ajitav Jena · Sep 30, 2020 at 06:19 AM

You need a certificate of client for MTLS. So, that should be presented.

in the case of One way ssl, you don't need to produce a client certificate. In virtual host configuration make ClientAuthEnabled to false.

<ClientAuthEnabled>true</ClientAuthEnabled>
    <SSLInfo> 
        <Enabled>true</Enabled> 
        <ClientAuthEnabled>true</ClientAuthEnabled> 
        <KeyStore>ref://myKeystoreRef</KeyStore> 
        <KeyAlias>myKeyAlias</KeyAlias> 
        <IgnoreValidationErrors>false</IgnoreValidationErrors>
    </SSLInfo>

Comment
Add comment · Link
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image
0

Answer by Akshaya Mangaraj · Sep 30, 2020 at 09:28 PM

Is this verified against CRL/OCSP too? Wondering if it verifies the certificate revocation for a previously active certificate? Or it just check the signature ?

Comment
Add comment Show 2 · Link
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image Dino-at-Google ♦♦   · Sep 30, 2020 at 10:36 PM 0
Link

yes. This stuff is covered in the documentation for VirtualHosts and TLS/SSL.

avatar image Akshaya Mangaraj Dino-at-Google ♦♦ · Sep 30, 2020 at 11:34 PM 0
Link

Let me clarify the question again. As i know, Browser and any other client do that for the server certificate presented by APIGEE to the client. Is this done same at the APIGEE edge server for client certificate presented to apigee server which has client auth enabled.

avatar image
0
Wiki

Answer by Priyadarshi Ajitav Jena · Oct 01, 2020 at 04:46 AM

When client Auth enabled, it indicates the mutual tls or two-way ssl.

In that case, the validation happens at the client-side as well as the server-side. Apigee works as the server-side if the service is inbound. So, you have to add the full certificate chain of the client in Apigee truststore including root and intermediate.

Apigee will validate the client certificate presented by the client app during the request, with the root and intermediate certificates present in its trust store.

Comment
Add comment Show 2 · Link
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image Akshaya Mangaraj · Oct 01, 2020 at 05:31 AM 0
Link

does Apigee server use CRL/OCSP to validate the client certificate if it is revoked? Or it is just a check to the certificate chain?

Scenario here:

Day 1 : A client certificate is created and client started using it with client auth enabled. Server and client are both good.

Day 2: Client certificate is revoked for some reason, How does the server know about the client certificate revoked frm CA? Unless it is using CRL / OCSP, It is not possible.

Like client browsers do the verification with CRL/OCSP, does APIGEE server do the same for client certificate? Do i need to do extra validation within apigee message processor to handle client certificate revocation?

Hope it clarifies my doubt.

Thanks in advance.!!

avatar image Priyadarshi Ajitav Jena Akshaya Mangaraj · Oct 01, 2020 at 06:18 AM 0
Link

That option you can add to verify from the CA, but you need to have internet connection open to your router. In our onprem we don't have the internet exposure.

So, we are not checking revoked or not.

We have added the serial number of certificates to KVM with status active or inactive.

If a certificate is revoked to he serial number in kvm will be made inactive by the api team, Apigee checks that in the request and throws error if it's inactive.

Follow this Question

Answers Answers and Comments

39 People are following this question.

avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image

Related Questions

support for TLS1.1 or TLS1.2 in node proxies (required for connecting to Salesforce) 2 Answers

Regarding 2 way TLS configuration in APIGEE with backend application 1 Answer

Trust store is invalid 1 Answer

Regarding SSL certificate in dev and test environment 1 Answer

Uploading Jar file for TLS is erroring with "Invalid Key File" for the private key. 2 Answers

  • Products
    • Edge - APIs
    • Insights - Big Data
    • Plans
  • Developers
    • Overview
    • Documentation
  • Resources
    • Overview
    • Blog
    • Apigee Institute
    • Academy
    • Documentation
  • Company
    • Overview
    • Press
    • Customers
    • Partners
    • Team
    • Events
    • Careers
    • Contact Us
  • Support
    • Support Overview
    • Documentation
    • Status
    • Edge Support Portal
    • Privacy Policy
    • Terms & Conditions
© 2021 Apigee Corp. All rights reserved. - Apigee Community Terms of Use - Powered by AnswerHub
  • Anonymous
  • Sign in
  • Create
  • Ask a question
  • Create an article
  • Post an idea
  • Create an article
  • Post an idea
  • Spaces
  • Product Announcements
  • General
  • Edge/API Management
  • Developer Portal (Drupal-based)
  • Developer Portal (Integrated)
  • API Design
  • APIM on Istio
  • Extensions
  • Business of APIs
  • Academy/Certification
  • Adapter for Envoy
  • Analytics
  • Events
  • Hybrid
  • Integration (AWS, PCF, Etc.)
  • Microgateway
  • Monetization
  • Private Cloud Deployment
  • 日本語コミュニティ
  • Insights
  • IoT Apigee Link
  • BaaS/Usergrid
  • BaaS Transition/Migration
  • Apigee-127
  • New Customers
  • Explore
  • Topics
  • Questions
  • Articles
  • Ideas
  • Articles
  • Ideas
  • Badges