Mapping between SSL certificates(consumer and provider) and proxies

Not applicable

Hi Team,

We have consumer and provider certificates in our truststores for 2 way SSL connections. In case of 2 way with consumer, we have multiple consumer certificates in vhost truststore. In the same way, we use only one truststore to have provider/target certificates in case of 2 way ssl with provider. Incase of any certificate expiry, it is very difficult for us to check the respective API proxy manually. So we would like to know the way to find the mapping between the certificate present in any truststore and the API proxy. This will make our life easy as the APIs and certificate grows.

I saw post @ https://community.apigee.com/questions/4255/separating-developer-app-traffic-by-ssl-certificat.html , which provides solution for consumer certs using propagate.additional.ssl.headers property in Proxy Endpoint configuration. I tried same property in Target Connection, but it did not worked. So, I am looking for same kind of solutions for provider certs also.

Regards,

Mula

0 3 338
3 REPLIES 3

Wow, sorry, this is a really old question and has not been answered.

On the off chance that this is still an interesting question to you, I'm going to reply.

I understand that you have a single truststore and multiple certificates contained within it. This is for 2-way TLS. I think you are using those certificates to verify the identity of callers sending inbound requests. Is that right? In other words, in this image: ...you are talking about the link labeled with a "3". correct?

I don't understand this part of the question:

we would like to know the way to find the mapping between the certificate present in any truststore and the API proxy.

Are you saying that you want to know which client-side certificate has been verified, from within the proxy? There are context variables to allow you to do this within the API Proxy at the time the request is being handled. See the relevant Apigee documentation for more information.

Hi Dino,

Sorry for late update. I would like to know about the leg 4, south bound 2 way SSL. Leg 3, we can able to get the client details by using propagate.additional.ssl.headers property.

Thanks,

Mula

OMigosh this is the longest-running thread EVAH. You asked in July 2016 and now it's May 2017 and you're still interested!

I have a couple things for you.

First, in regards to your question:

> we would like to know the way to find the mapping between the certificate present in any truststore and the API proxy.

There is no way using the Apigee Admin UI to request a list of all proxies using a given truststore. But, as you probably know, every asset under management in Apigee Edge is queryable via a REST API. So it is relatively straightforward to

  • query all the truststores in an environment
  • list all the certs in each truststore
  • query all the proxies in an org
  • map all the proxies to any truststores they use, in either ServiceCallout or Target

The call to query the truststores is like this:

curl -i -n \
 'https://api.enterprise.apigee.com/v1/o/:ORG/e/:ENV/keystores'

And then to list the details for the certs in each truststore, you can do a sequence like this:

#for truststore in list :
curl -i -n \
 ':mgmtserver/v1/o/:ORG/e/:ENV/keystores/:truststore'

#for certname in certs :
curl -i -n \
 ':mgmtserver/v1/o/:ORG/e/:ENV/keystores/:truststore/certs/:certname'

And then of course you must cross the list of truststores with the Targets and SC policies in various proxies, so, start with:

curl -i -u \
 ':mgmtserver/v1/o/:ORG/apis'

...and then

#for apiname in list : 
curl -i -u \
 ':mgmtserver/v1/o/:ORG/apis/:apiname/revisions'

#for rev in list :
curl -i -u \
 ':mgmtserver/v1/o/:ORG/apis/:apiname/revisions/:rev/targets'

#for target in list :
curl -i -u \
 ':mgmtserver/v1/o/:ORG/apis/:apiname/revisions/:rev/targets/:target'

...and then in each target, look for SSLInfo and the truststore specified there.

You would do something similar with the ServiceCallout policies, if you use them. Except you would need to look for each policy in the proxy, and then check to see if it was a ServiceCallout, and then look for SSLInfo and the trusstore.

#for rev in list :
curl -i -u \
 ':mgmtserver/v1/o/:ORG/apis/:apiname/revisions/:rev/policies'

#for policies in list :
curl -i -u \
 ':mgmtserver/v1/o/:ORG/apis/:apiname/revisions/:rev/policies/:policy'

# Then, grep for ServiceCallout and if so, check the Target and SSLInfo

An example working script for just checking the proxy-to-truststore mapping is attached here.

mapproxiestotruststoressh.txt