Can Apigee configure a secure vhost to request but not require a client-side certificate?
With a network device like F5 BigIP, it is possible to configure an endpoint to request, require or ignore a client cert. In the require state, the F5 rejects the TLS handshake when the client does not present a cert (and may reject even if the client does present a cert, if the CA is wrong , or if the CN is not as required, if expired, etc). In the ignore state, any client cert is ignored by the F5 device.
In the “request” option, F5 asks for a cert, and the client may or may not present one. The F5 can be configured to allow or not allow, depending on the contents of the cert.
The question is, Can Apigee Edge be configured to request-but-not-require a client-side cert? I would like Apigee Edge to validate the cert against a specific CA, but not reject the connection if the cert is expired, if the cert has the "wrong" CN, or even if the cert is not present.
Is this possible?
I know that Apigee Edge uses nginx for the front-side router.
The nginx http ssl module has the ssl_verify_client parameter.
http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_verify_client
It supports : on | off | optional | optional_no_ca
Can the Apigee Edge public cloud be configured with any of these options?
Maybe @corinna fu has some information?
Can Apigee Edge public cloud be configured with any of these options?
Best Answer
Answer by Dino-at-Google
·
Aug 26, 2019 at 07:09 PM
Apigee Edge public cloud can be configured with OFF and ON, but Not "optional" today.
What is the virtual host parameter to configure that? is it applicable for 2-way client auth enabled and cert presented by client?
In Apigee, the analogue to verify_client ON is ClientAuthEnabled. Check the documentation for the VirtualHost for details.
Wiki
You need a certificate of client for MTLS. So, that should be presented.
in the case of One way ssl, you don't need to produce a client certificate. In virtual host configuration make ClientAuthEnabled to false.
<ClientAuthEnabled>true</ClientAuthEnabled>
<SSLInfo>
<Enabled>true</Enabled>
<ClientAuthEnabled>true</ClientAuthEnabled>
<KeyStore>ref://myKeystoreRef</KeyStore>
<KeyAlias>myKeyAlias</KeyAlias>
<IgnoreValidationErrors>false</IgnoreValidationErrors>
</SSLInfo>
Is this verified against CRL/OCSP too? Wondering if it verifies the certificate revocation for a previously active certificate? Or it just check the signature ?
yes. This stuff is covered in the documentation for VirtualHosts and TLS/SSL.
Let me clarify the question again. As i know, Browser and any other client do that for the server certificate presented by APIGEE to the client. Is this done same at the APIGEE edge server for client certificate presented to apigee server which has client auth enabled.
Wiki
When client Auth enabled, it indicates the mutual tls or two-way ssl.
In that case, the validation happens at the client-side as well as the server-side. Apigee works as the server-side if the service is inbound. So, you have to add the full certificate chain of the client in Apigee truststore including root and intermediate.
Apigee will validate the client certificate presented by the client app during the request, with the root and intermediate certificates present in its trust store.
does Apigee server use CRL/OCSP to validate the client certificate if it is revoked? Or it is just a check to the certificate chain?
Scenario here:
Day 1 : A client certificate is created and client started using it with client auth enabled. Server and client are both good.
Day 2: Client certificate is revoked for some reason, How does the server know about the client certificate revoked frm CA? Unless it is using CRL / OCSP, It is not possible.
Like client browsers do the verification with CRL/OCSP, does APIGEE server do the same for client certificate? Do i need to do extra validation within apigee message processor to handle client certificate revocation?
Hope it clarifies my doubt.
Thanks in advance.!!
That option you can add to verify from the CA, but you need to have internet connection open to your router. In our onprem we don't have the internet exposure.
So, we are not checking revoked or not.
We have added the serial number of certificates to KVM with status active or inactive.
If a certificate is revoked to he serial number in kvm will be made inactive by the api team, Apigee checks that in the request and throws error if it's inactive.
