{ Community }
  • Academy
  • Docs
  • Developers
  • Resources
    • Community Articles
    • Apigee on GitHub
    • Code Samples
    • Videos & eBooks
    • Accelerator Methodology
  • Support
  • Ask a Question
  • Spaces
    • Product Announcements
    • General
    • Edge/API Management
    • Developer Portal (Drupal-based)
    • Developer Portal (Integrated)
    • API Design
    • APIM on Istio
    • Extensions
    • Business of APIs
    • Academy/Certification
    • Analytics
    • Events
    • Hybrid
    • Integration (AWS, PCF, Etc.)
    • Microgateway
    • Monetization
    • Private Cloud Deployment
    • Insights
    • IoT Apigee Link
    • BaaS/Usergrid
    • BaaS Transition/Migration
    • Apigee-127
    • New Customers
    • Topics
    • Questions
    • Articles
    • Ideas
    • Leaderboard
    • Badges
  • Log in
  • Sign up

Get answers, ideas, and support from the Apigee Community

  • Home /
  • Edge/API Management /
avatar image
0
Question by Tara McLean · Sep 21, 2017 at 09:45 AM · 665 Views authenticationservicecallouttlstls handshake

Connecting to Ping Federate with Certification authentication

I have service callout to Ping Federate to validate an access token. I have this successfully working with basic authentication (client ID and password). but now I would like to use TLS authentication.

My client ID on Ping is set up with a trusted cert.

I have imported this cert into Apigee

Below is my callout

<HTTPTargetConnection>
        <Properties/>
        <URL>https://PING_FEDERATE:9031/as/introspect.oauth2</URL>
        <SSLInfo>
            <Enabled>true</Enabled>
            <TrustStore>TRUST_STORE_NAME</TrustStore>
        </SSLInfo>
    </HTTPTargetConnection>

But with these settings I get an error message of "PING_CLIENT_ID is configured to use client certificates but there were no client certificates sent in the request"

Any pointers where i'm going wrong would be much appriacted

Comment
Add comment
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users

Close

2 Answers

  • Sort: 
avatar image
0

Answer by Mahammad Feroz · Sep 21, 2017 at 01:24 PM

@Tara McLean, As per your above settings, you have eanbled 1-way SSL. But as per the error message, looks like it should be 2-way SSL. Add the below tag under SSL Info.

<ClientAuthEnabled>true</ClientAuthEnabled>
Comment
Add comment Show 1 · Link
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image Tara McLean · Sep 21, 2017 at 01:45 PM 0
Link

Thanks for your reply, I've tried that and the new message I receive is "PING_CLIENT is configured to use client certificates but there were no client certificates sent in the request".

I assumed that the truststore tag would take care of this. Do you have any more info that would help me with what is needed to configure the service callout correctly?

avatar image
0

Answer by David MacDonald · Sep 21, 2017 at 05:42 PM

Hey Tara,

The error suggests that Ping is looking for Apigee to present a client certificate for mutual Authentication (2 way TLS) but you have configured Apigee to only verify the certificate presented by the Ping server (1 way TLS).

What you need to do is add a keystore and to enable client authentication. This is how you tell Apigee to also present a certificate to Ping. Some definitions below:

  • A truststore contains certificates used to verify certificates received as part of TLS handshaking (the certificates presented by Ping).
  • A keystore contains a TLS certificate and private key used to identify the entity (in this case Apigee) during TLS handshaking.

More definitions here: http://docs.apigee.com/api-services/content/keystores-and-truststores

So as per the documentation (http://docs.apigee.com/api-services/content/configuring-ssl-edge-backend-service) you should create a keystore and add this to your Service callout config:

<SSLInfo>
  <Enabled>true</Enabled>
  <ClientAuthEnabled>true</ClientAuthEnabled>
  <KeyStore>myKeystore</KeyStore>
  <KeyAlias>myKey</KeyAlias>
  <TrustStore>myTruststore</TrustStore>
</SSLInfo>

Happy to help further as required.

Comment
Add comment · Link
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users

Follow this Question

Answers Answers and Comments

53 People are following this question.

avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image

Related Questions

Server Name Indication (SNI) for Southbound connection on Edge 1 Answer

Use Apigee in between client and other API's 2 Answers

Enabling two factor authentication for all users of an organization in the APIGEE Edge Cloud 1 Answer

Is there a timeout setting for the ServiceCallout policy in Apigee Edge? 2 Answers

servicecallout.{policy-name}.target.url returns null 1 Answer

  • Products
    • Edge - APIs
    • Insights - Big Data
    • Plans
  • Developers
    • Overview
    • Documentation
  • Resources
    • Overview
    • Blog
    • Apigee Institute
    • Academy
    • Documentation
  • Company
    • Overview
    • Press
    • Customers
    • Partners
    • Team
    • Events
    • Careers
    • Contact Us
  • Support
    • Support Overview
    • Documentation
    • Status
    • Edge Support Portal
    • Privacy Policy
    • Terms & Conditions
© 2019 Apigee Corp. All rights reserved. - Apigee Community Terms of Use - Powered by AnswerHub
  • Anonymous
  • Sign in
  • Create
  • Ask a question
  • Create an article
  • Post an idea
  • Spaces
  • Product Announcements
  • General
  • Edge/API Management
  • Developer Portal (Drupal-based)
  • Developer Portal (Integrated)
  • API Design
  • APIM on Istio
  • Extensions
  • Business of APIs
  • Academy/Certification
  • Analytics
  • Events
  • Hybrid
  • Integration (AWS, PCF, Etc.)
  • Microgateway
  • Monetization
  • Private Cloud Deployment
  • Insights
  • IoT Apigee Link
  • BaaS/Usergrid
  • BaaS Transition/Migration
  • Apigee-127
  • New Customers
  • Explore
  • Topics
  • Questions
  • Articles
  • Ideas
  • Members
  • Badges