Has anyone validated client certificates in Edge? Client to Apigee Flow

Not applicable

Hi - i am looking to the community to see what the best/easiest way to validate client certificates (Client to Apigee) is, if its possible, and any experience notes anyone might have on this.

Note: im talking about doing this inside a proxy w/o having to write a custom callout (or maybe thats the way to do it?)

Solved Solved
1 9 1,888
1 ACCEPTED SOLUTION

Hi @Benjamin Goldman,

I see, I was jumping ahead. This can be done in the VirtualHost (and the cURL above would come after for sanity check).

Cloud customers currently need to submit a Support ticket, OPDK customers can do this per the Ops guide. The VirtualHost would be configured something like the following. In this example, the keystore contains the server cert and private key, and the truststore contains the client certificate(s) (NO private key).

{
  "VirtualHost": {
    "-name": "twowayssl",
    "HostAliases": { "HostAlias": "api.example.com" },
    "Port": "8443",
    "SSLInfo": {
      "ClientAuthEnabled": "true",
      "Enabled": "true",
      "IgnoreValidationErrors": "false",
      "KeyAlias": "keyalias",
      "KeyStore": "keystore",
      "Protocols": { "Protocol": "TLSv1" },
      "TrustStore": "truststore"
    }
  }
}

Does this help?

View solution in original post

9 REPLIES 9

Hi @Benjamin Goldman,

I would suggest using cURL for this (making sure you are using latest version, compiled with latest openssl). For example:

curl -v --cert <path_to_cert> --key <path_to_key> "<URL>" 

Optionally, depending on the server-side certificate, you may also need to use the -k or "--cacert <path_to_ca>" arguments.

I hope this helps.

right - thats great for doing it on the OS. But what about inside a proxy in edge?

edited question.

If we have a requirement to verify certificates for multiple clients(each with a different cert), how would the proxy setup be?

If we were to use curl, what would the command be?

Hi @Benjamin Goldman,

I see, I was jumping ahead. This can be done in the VirtualHost (and the cURL above would come after for sanity check).

Cloud customers currently need to submit a Support ticket, OPDK customers can do this per the Ops guide. The VirtualHost would be configured something like the following. In this example, the keystore contains the server cert and private key, and the truststore contains the client certificate(s) (NO private key).

{
  "VirtualHost": {
    "-name": "twowayssl",
    "HostAliases": { "HostAlias": "api.example.com" },
    "Port": "8443",
    "SSLInfo": {
      "ClientAuthEnabled": "true",
      "Enabled": "true",
      "IgnoreValidationErrors": "false",
      "KeyAlias": "keyalias",
      "KeyStore": "keystore",
      "Protocols": { "Protocol": "TLSv1" },
      "TrustStore": "truststore"
    }
  }
}

Does this help?

So this would enable me to do 2 way ssl. Which is an option. but what if i just wanted to say deploy a public key to a consumer app and decrypt and validate some string they passed in as a header or something w/ that key? I realize this isnt all that much different from an api key over ssl - but the difference would be that i would be doing it in the proxy its self (in policies) and would be able to do things like specify which cert was used by which consumer. (do note - that I dont really see a good solution to this which is why im asking!)

Would custom attributes on a developer app, or even using the built-in "developer.app.name" or "apiproduct.name," help? More on that here:

http://docs.apigee.com/api-services/reference/verify-api-key-policy

If using public/private keypairs is a must, it's likely this would need to be done using a custom callout.

Thanks.

thats what we were trying to avoid - but it makes sense.

adas
Participant V

@Benjamin Goldman You can refer to this post which has a similar question: https://community.apigee.com/questions/10560/how-to-configure-client-side-ssl-between-apigee-ed.html

We discussed the 2-way ssl scenarios at length, in that post so hopefully you would find it useful.