Smartdocs accessing 2 way TLS API

kkhanna
Participant IV

@Maudrit @Arun Kumar

1. I am able to access the SmartDocs proxy on 1-way TLS vHost. Since most of our proxies sits on 2-Way TLS host, can you tell me a way to access that SmartDocs proxy on 2-way TLS vHost?

Right now when I use trace session on SmartDocs proxy using 2-way TLS URL I am getting 400 error.

Developer tool error: "XMLHttpRequest cannot load https://<2waytls-host>/smartdocs/v1/sendrequest?targeturl=http%3…. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://<devportal>' is therefore not allowed access. The response had HTTP status code 400"

( Added)

2. Even if I use 1-way TLS for SmartDocs is there a way to provide smartdocs with a keystore or a reference to a keystore to accesses edge APIs over 2 way TLS.

Thanks for the help!

1 9 432
9 REPLIES 9

As Ozan notes, SmartDocs will use DevPortal for the actual API call (for whatever reason I was thinking Postman). If it were Postman, then the solution would be quite arduous and likely would not be scaled in any reasonable way.

Adding certificates for your devportal hosts should rectify the situation.

Apigee does not provide local keystores for user agents. That is the province of OS providers, app libraries, etc.

I believe Smartdocs makes the actual call via devportal server. That's why we see min 2 IPs in X-Forwarded-For header.

Thanks Ozan! Answer updated. For whatever reason was thinking Postman as the consumer.

@Ozan Seymen

SmartDocs makes ajax calls to the SmartDocs proxy endpoint. So the calls are made from the client browser in which the SmartDocs is opened.

This makes me think that, if it is possible at all to send a client certificate from SmartDocs as it should be supported by the XMLHttpRequest in javascript.

Since the clients, in order to access API endpoints secured with 2way TLS, need to provide their certificates, can there be any possible way in which SmartDocs can send the client certificates.?

Any hints or pointers are appreciated.

Thanks,

Sudheesh

Hi @dsudheesh

I am not sure if that is possible. The structure is like this:

Browser -> Developer Portal Server -> Target API

In this structure, if you send a client cert from the browser, it will be used to establish TLS between the browser and the portal server. Portal server is (A) not configured to handle mutual TLS and (B) portal server will terminate TLS on the entry point and initiate a new TLS session between itself and the target API, losing your client cert.

Apigeeks - correct me if ^ is incorrect.

Assuming this is correct, I'd suggest you to do one of these:

  • Disable the smartdocs functionality to send requests to your apis (hide via CSS?)
  • Configure a dedicated sandbox environment with mock data where APIs don't need mutual TLS. Don't forget that the main use of smartdocs is to educate API developers about your APIs - it is not an API client.

Hi @Ozan Seymen

Browser -> Developer Portal Server -> Target API

The above is not correct.

Here is how it works.

Browser -> SmartDocs Proxy -> Target API

Developer portal server does not mediate any of the SmartDocs calls to the Target APIs.

Also, thanks for sharing the steps to make SmartDocs work in case of API endpoints requiring client certificates.

Thanks,

Sudheesh

Can you point me to the configuration snippet or any relevant documentation to do so.
Thanks!

@davidwallen1 @Ozan Seymen

Can you provide me with steps or a snippet for adding certificates.

Thanks!

Hi @kkhanna, We have the same requirement. Did you find a solution for it.

Thanks.