Need help : 2way ssl between apigee edge and client

I have configured as vHost to enable 2way ssl for client. Here is how vHost looks like in edge UI.

5712-capture.png

When I use the vHost in my proxy and test from SOAP UI I am getting the error,

{"fault": { "faultstring": "Unable to identify proxy for host: secure and url: /mock/v1/new_flights/test", "detail": {"errorcode": "messaging.adaptors.http.flow.ApplicationNotFound"} }}

Sometimes I am getting below error and I think this error is valid as I am not sending client certificate from soap UI although it is pointing to the Port 8443 but vHost port is 7443

Wed Sep 27 16:39:26 EDT 2017:ERROR:Exception in request: org.apache.http.conn.HttpHostConnectException: Connection to https://dvl-apigateway.xxx.com:8443 refused Wed Sep 27 16:39:26 EDT 2017:ERROR:An error occurred [Connection to https://dvl-apigateway.xxx.com:8443 refused], see error log for details 
Wed Sep 27 16:39:26 EDT 2017:INFO:Error getting response for [https://dvl-apigateway.xxx.com.Notifications:Request 1]; org.apache.http.conn.HttpHostConnectException: Connection to https://dvl-apigateway.XXX.com:8443 refused 
Wed Sep 27 16:41:02 EDT 2017:DEBUG:Attempt 1 to execute request Wed Sep 27 16:41:02 EDT 2017:DEBUG:Sending request: POST /mock/v1/new_flights/test HTTP/1.1 Wed Sep 27 16:41:02 EDT 2017:DEBUG:I/O error closing connection javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLException: Received fatal alert: <UNKNOWN ALERT: 107>
0 3 484
3 REPLIES 3

first, I'm not sure I understand what problem we're trying to solve. You used the title "2-way SSL on Apigee Edge" but that's not a statement of a problem. In the post, you have outlined several symptoms (observations). But those also don't clearly describe a problem. Can we focus on the immediate problem you want to solve? State it succinctly so I know what we're trying to solve. It may help if you can answer these 3 questions: What are you trying? what are you expecting to see? what are you actually seeing?

Also - I don't understand the port 8443 in the log, versus port 7443 in the UI screenshot. Can you explain that in more detail?

Also Can you explain in a little more detail how you've configured the vhost? Can you show us the output of the curl -X GET on that vhost?

Also, you wrote "sometimes I am getting an error". How often is sometimes? Can you elaborate a little more?

Also, you have cited this error:

Unable to identify proxy for host: secure and url: ...

Is this the main problem? This usually means that the connection is successfully made from the client to the Edge router, but you have no API proxy listening at the combination of vhost + basepath. Can you describe the API proxy you have deployed, and its basepath? Show us the output of curl -X GET on the deployments for that proxy.

Hi @Dino

I have self-singed certificate to configure 1way ssl using secure vHost.

We are trying if we can use the same cert to configure 2way ssl between apigee edge and backend server.

Right now I don't have backend server available to test this. But I have DEV and QA environment of apigee edge.

So I am calling DEV-->QA. In this case, QA APIGEE edge is working as my backend server.

For this in QA, I have configured a new vHost other than default, secure using below command,

curl -X POST -H "Content-Type:application/xml" \ http://localhost:8080/v1/o/myOrg/environments/qa/virtualhosts \ -d '<VirtualHost name="2wsslsecure"> <HostAliases> <HostAlias>qa-apigateway.XXX.com</HostAlias> </HostAliases> <Interfaces/> <Port>7443</Port> <SSLInfo> <Enabled>true</Enabled> <ClientAuthEnabled>true</ClientAuthEnabled> <KeyStore>qaKeystore</KeyStore> <KeyAlias>qa-apigateway.XXX.comKey</KeyAlias> <TrustStore>2waySSLTruststore</TrustStore> <IgnoreValidationErrors>false</IgnoreValidationErrors> </SSLInfo> </VirtualHost>' \ -u userid:Password

Also I have configured truststore in both DEV and QA.

DVL-APIGEE(Client) QA-APIGEE(Server)

===============================================================

Truststore(qa-apigegateway.XXX.com) Truststore(dev-apigegateway.XXX.com)

Keystore(qa-apigeway.XXX.com) Keystore (qa-apigateway.XXX.com)

Now when I call the QA proxy endpoint which is using 2wsslsecure vHost I am getting

{"fault":{"faultstring":"Unable to identify proxy for host: secure and url: /mock/v1/new_flights/test","detail":{"errorcode":"messaging.adaptors.http.flow.ApplicationNotFound"}}}

My assumption is I should get SSLHandshake exception if I call from SOAP UI as I haven't configured the truststore in SOAP UI.

But if I call the DVL apigee proxy endpoint which internally call QA proxy endpoint, I should be able to call it successfully as I have added the server cert in DEV truststore.

Let me know if you have any question.

@Dino To answer your other question. If i change the vHost to "secure" and change it back to "2wsslsecure" I am getting javax.net.ssl.SSLException in very First request.