Connecting to Ping Federate with Certification authentication
I have service callout to Ping Federate to validate an access token. I have this successfully working with basic authentication (client ID and password). but now I would like to use TLS authentication.
My client ID on Ping is set up with a trusted cert.
I have imported this cert into Apigee
Below is my callout
<HTTPTargetConnection>
<Properties/>
<URL>https://PING_FEDERATE:9031/as/introspect.oauth2</URL>
<SSLInfo>
<Enabled>true</Enabled>
<TrustStore>TRUST_STORE_NAME</TrustStore>
</SSLInfo>
</HTTPTargetConnection>
But with these settings I get an error message of "PING_CLIENT_ID is configured to use client certificates but there were no client certificates sent in the request"
Any pointers where i'm going wrong would be much appriacted
@Tara McLean, As per your above settings, you have eanbled 1-way SSL. But as per the error message, looks like it should be 2-way SSL. Add the below tag under SSL Info.
<ClientAuthEnabled>true</ClientAuthEnabled>
Thanks for your reply, I've tried that and the new message I receive is "PING_CLIENT is configured to use client certificates but there were no client certificates sent in the request".
I assumed that the truststore tag would take care of this. Do you have any more info that would help me with what is needed to configure the service callout correctly?
Hey Tara,
The error suggests that Ping is looking for Apigee to present a client certificate for mutual Authentication (2 way TLS) but you have configured Apigee to only verify the certificate presented by the Ping server (1 way TLS).
What you need to do is add a keystore and to enable client authentication. This is how you tell Apigee to also present a certificate to Ping. Some definitions below:
- A truststore contains certificates used to verify certificates received as part of TLS handshaking (the certificates presented by Ping).
- A keystore contains a TLS certificate and private key used to identify the entity (in this case Apigee) during TLS handshaking.
More definitions here: http://docs.apigee.com/api-services/content/keystores-and-truststores
So as per the documentation (http://docs.apigee.com/api-services/content/configuring-ssl-edge-backend-service) you should create a keystore and add this to your Service callout config:
<SSLInfo> <Enabled>true</Enabled> <ClientAuthEnabled>true</ClientAuthEnabled> <KeyStore>myKeystore</KeyStore> <KeyAlias>myKey</KeyAlias> <TrustStore>myTruststore</TrustStore> </SSLInfo>
Happy to help further as required.
