Separating Developer App Traffic by SSL Certificate

Not applicable

Using an API Key as authentication Apigee is able to differentiate traffic between different Developer Apps. This allows us to do drilldowns in custom reports to see different client usage. Is there a way to configure Apigee to separate traffic using a client's SSL certificate instead of ApiKey? I didn't see anything in the documentation regarding SSL in Apigee.

1 9 580
9 REPLIES 9

Yes, you can do so. You will need to add the discriminant to the list of columns collected in the Analytics database for each transaction. The Discriminant would be the thing you want to use in the report - so it could be one of the context variables populated by Apigee Edge when verifying a caller's SSL cert: client.cn, client.email.address, etc. See the variables reference for more information.http://apigee.com/docs/api-services/reference/variables-reference

To add one or more of these to the Analytics data, you should use the StatisticsCollector policy, configured appropriately. See here: http://apigee.com/docs/api-services/reference/statistics-collector-policy After running transactions that include such a policy, the fields will be available in the Custom Reports page.

Former Community Member
Not applicable

Hi @Elliot Korte as @Dino mentioned you can use the client.cn & other client variables in the StatisticsCollector policy to record them for analytics purposes.

Additionally you can turn on the propagate.additional.ssl.headers property in your proxy:

<ProxyEndpoint name="myProxy">
  <HTTPProxyConnection>
  <BasePath>/v1/weather</BasePath>
  <VirtualHost>secure</VirtualHost>
  <Properties>
    <Property name="propagate.additional.ssl.headers">true</Property>
  </Properties>
</HTTPProxyConnection>

This will populate additional SSL flow variables such as ssl.client.m.serial (The serial number of the client certificate) or ssl.client.i.dn (The distinguished name of the client certificate's issuer) which can be recorded via StatisticsCollector policy.

Ah, this is interesting, I am just looking into how to check the client certificate in an API request. I have configured our proxy as above and I see server certificate variables, but how do I test this for the client certificate information, curl --cert cert.pem https://api-endpoint doesnt seem to set the client variables.

Not applicable

Related question: Are client.cn & other client variables only available when 2 way ssl in enabled on the virtualhost ?

yes, these variables will be populated only when client presents the certificate - which is 2-way ssl or mutual ssl

Not applicable

Hi All,

Using <Property name="propagate.additional.ssl.headers">true</Property> and 2way ssl virtual host, we can able to capture the client SSL certification information. Is there any way to capture the SSL certificate information while making 2 way SSL connection with the provider.

Thanks,

Mula

@mvvbr , Would you like to post it as a question instead of posting as an answer for better context ?

Hi Anil,

Question: Is there any way to capture the SSL certificate information while making 2 way SSL connection with the provider.

Thanks,

Mula

@mvvbr , Please post as a new Question here.