configure 2way ssl on apigee edge

Not applicable

Hi

I m trying to evaluate apigee, one of existing service has 2way ssl-auth so would like evaluate if we can port it as-is until we use some other security features.

I tried below for my test proxy, however getting schema validation failed error for SSLinfo, am i missing anything or doing wrong?

Error Saving Revision 1 Error occurred while validation of bean default.xml. Reason: - Schema validation failed. Cause : unexpected element (uri:"", local:"SSLInfo"). Expected elements are (none). Line number : 18. Column number : 22. File name : default.xml..

Line 18 is <SSLInfo>

<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <ProxyEndpoint name="default"> <Description/> <FaultRules/> <PreFlow name="PreFlow"> <Request/> <Response/> </PreFlow> <PostFlow name="PostFlow"> <Request/> <Response/> </PostFlow> <Flows/> <HTTPProxyConnection> <BasePath>/clientauth</BasePath> <Properties/> <VirtualHost name="secure"> <SSLInfo> <ClientAuthEnabled>true</ClientAuthEnabled> <Enabled>true</Enabled> <IgnoreValidationErrors>false</IgnoreValidationErrors> <KeyAlias>apigee-poc</KeyAlias> <KeyStore>myKStore</KeyStore> <TrustStore>myTruststore</TrustStore> </SSLInfo> </VirtualHost> </HTTPProxyConnection> <RouteRule name="default"> <TargetEndpoint>default</TargetEndpoint> </RouteRule> </ProxyEndpoint>

1 3 783
3 REPLIES 3

Former Community Member
Not applicable

Hi @Kranthi Rachakonda looks you are inserting the SSLInfo element in the proxy endpoint definition. Are you trying to configure 2 way SSL between your API proxy & your backend API (i.e outbound)? If so you should be configuring the SSLInfo element in the target server endpoint and not the proxy endpoint.

If you are trying to provide 2 way SSL between your app & the Apigee API proxy (i.e Inbound), you need to essential create a virtual host, upload your cert, key etc & then associate the proxy with that virtual host via configuration in the proxy endpoint element.

Not applicable

@prithpal, thanks for the info. Yes, i m trying inbound on proxy/edge. Support team helped in updating default virtualhost-secure with my client-cert & keystore. However for any request i m getting 400 Bad Request. No required SSL certificate was sent, even though i m post the cert. I tried to use trace and donot see any requests coming onto proxy. I guess its failing at handshake, however not sure how to confirm that as i dont see that on edge cloud. Any thoughts.

@Kranthi Rachakonda,

Were you able to do a mutual tls between client APP and Edge. I'm also trying to achieve the same but not sure how to configure.

Regards