I have service callout to Ping Federate to validate an access token. I have this successfully working with basic authentication (client ID and password). but now I would like to use TLS authentication.
My client ID on Ping is set up with a trusted cert.
I have imported this cert into Apigee
Below is my callout
<HTTPTargetConnection> <Properties/> <URL>https://PING_FEDERATE:9031/as/introspect.oauth2</URL> <SSLInfo> <Enabled>true</Enabled> <TrustStore>TRUST_STORE_NAME</TrustStore> </SSLInfo> </HTTPTargetConnection>
But with these settings I get an error message of "PING_CLIENT_ID is configured to use client certificates but there were no client certificates sent in the request"
Any pointers where i'm going wrong would be much appriacted
Answer by Mahammad Feroz · Sep 21, 2017 at 01:24 PM
@Tara McLean, As per your above settings, you have eanbled 1-way SSL. But as per the error message, looks like it should be 2-way SSL. Add the below tag under SSL Info.
<ClientAuthEnabled>true</ClientAuthEnabled>
Thanks for your reply, I've tried that and the new message I receive is "PING_CLIENT is configured to use client certificates but there were no client certificates sent in the request".
I assumed that the truststore tag would take care of this. Do you have any more info that would help me with what is needed to configure the service callout correctly?
Answer by David MacDonald · Sep 21, 2017 at 05:42 PM
Hey Tara,
The error suggests that Ping is looking for Apigee to present a client certificate for mutual Authentication (2 way TLS) but you have configured Apigee to only verify the certificate presented by the Ping server (1 way TLS).
What you need to do is add a keystore and to enable client authentication. This is how you tell Apigee to also present a certificate to Ping. Some definitions below:
More definitions here: http://docs.apigee.com/api-services/content/keystores-and-truststores
So as per the documentation (http://docs.apigee.com/api-services/content/configuring-ssl-edge-backend-service) you should create a keystore and add this to your Service callout config:
<SSLInfo> <Enabled>true</Enabled> <ClientAuthEnabled>true</ClientAuthEnabled> <KeyStore>myKeystore</KeyStore> <KeyAlias>myKey</KeyAlias> <TrustStore>myTruststore</TrustStore> </SSLInfo>
Happy to help further as required.
Server Name Indication (SNI) for Southbound connection on Edge 1 Answer
Use Apigee in between client and other API's 2 Answers
Enabling two factor authentication for all users of an organization in the APIGEE Edge Cloud 1 Answer
Is there a timeout setting for the ServiceCallout policy in Apigee Edge? 2 Answers
servicecallout.{policy-name}.target.url returns null 1 Answer