POST Upload a Certificate to a Truststore Web API does not work properly

Not applicable

I want to connect from apigee edge to my backend with 2 way TLS.Since I used self-signed certificate, I added my own server certificate to Truststore. I referred to this site.

The request and the response were as follows.

[request]

POST /v1/organizations/<my_org>/environments/test/keystores/testMyTruststore/certs?alias=authorized-client-truststore&ignoreExpiryValidation=true
HTTP/1.1
Accept:*/*
Accept-Encoding:gzip
Accept-Language:ja
Authorization:Basic xxxxxxxxxxxxxxx
Content-Length:2156
Content-Type:multipart/form-data; boundary=----WebKitFormBoundaryu7XjVHVdpx0YsfW2
Host:api.enterprise.apigee.com
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML
X-Forwarded-For:xxx.xxx.xxx.xxx
X-Forwarded-Port:443
X-Forwarded-Proto:https
------WebKitFormBoundaryu7XjVHVdpx0YsfW2
Content-Disposition: form-data; name="file"; filename="my-service.crt.pem"
Content-Type: application/x-x509-ca-cert
-----BEGIN CERTIFICATE-----
MII...
-----END CERTIFICATE-----
------WebKitFormBoundaryu7XjVHVdpx0YsfW2-- 

[response]

HTTP/1.1 204 No Content
Access-Control-Allow-Headers:origin
Access-Control-Allow-Methods:GET
Access-Control-Allow-Origin:*
Access-Control-Max-Age:3628800
Connection:keep-alive
Content-Length:0
Content-Type:application/json
Date:Mon, 05 Mar 2018 07:45:22 GMT
Server:Apigee LB

The response seems to have succeeded without problems.

However, in the New Edge UI, Truststore has not been added to the KeyStore I specified. Looking at Classic Edge it seems that Truststore has been added.

Keystore testMyTruststore
  └ Truststore authorized-client-truststore
    └ <my_cn> 

But I call my API, the following error is returned.

{
    "fault": {
        "faultstring": "TrustStore ref://testMyTruststoreRef has no certificates",
        "detail": {
            "errorcode": "security.util.TrustStoreWithNoCertificates"
        }
    }
}<br>

Here, "testMyTruststoreRef" refers to testMyTruststore.

When I registered the same certificate file by adding new alias to Keystore created from GUI of New Edge, it can be added without problems, and the endpoint works correctly.

After that, when checking the Classic Edge UI, it was confirmed that Truststore with "-cert" after the alias name was added.

Keystore testMyTruststore
  └ Truststore authorized-client-truststore-cert
    └ <my_cn>
  └ Truststore authorized-client-truststore
    └ <my_cn> 

Is the method of executing the API incorrect? I would like to know how to post TrustStore correctly by Web API.

0 2 804
2 REPLIES 2

mpurwar
Participant IV

@Shuhei Matsubara - Everything you have done seems to be correct.

I would suggest to check if you have the reference (testMyTruststoreRef) created for your truststore (testMyTruststore) by using this command -

GET https://{{Host}}/v1/o/{{Org}}/e/{{Env}}/references/testMyTruststoreRef

If the reference is missing, refer below on how to create a reference for your truststore.

https://docs.apigee.com/api-services/content/working-references

To me, the actual reference seems missing. Let me know, if that was the case.

Thanks for your comment.

When I made the Reference, I saw the document you indicated.

The name has changed slightly because I rebuilt the set. (I added V1, and the Truststore name became "testMyTruststoreV1".)

Here is the result of executing the command in the state before the truststore was uploaded from New Edge (= the state in which the message "TrustStore has no certificates" is returned).

I think that there is no problem with reference setting.

curl -X GET \
https://api.enterprise.apigee.com/v1/o/<my_org>/e/test/references/testMyTruststoreV1Ref
{
  "name" : "testMyTruststoreV1Ref",
  "refers" : "testMyTruststoreV1",
  "resourceType" : "KeyStore"
} 

Although it is a bit long, paste the command executed when creating the reference.

curl -H "Content-Type: text/xml" \
https://api.enterprise.apigee.com/v1/o/<my_org>/environments/test/keystores \
-d '<KeyStore name="testMyKeystoreV1"/>'
{
  "certs" : [ ],
  "keys" : [ ],
  "name" : "testMyKeystoreV1"
}
curl -H "Content-Type: text/xml" \
https://api.enterprise.apigee.com/v1/o/<my_org>/environments/test/keystores \
-d '<KeyStore name="testMyTruststoreV1"/>'
{
  "certs" : [ ],
  "keys" : [ ],
  "name" : "testMyTruststoreV1"
}
curl -X POST \
-H "Content-Type:application/xml" \
https://api.enterprise.apigee.com/v1/o/<my_org>/e/test/references \
-d '<ResourceReference name="testMyTruststoreV1Ref"><Refers>testMyTruststoreV1</Refers><ResourceType>KeyStore</ResourceType></ResourceReference>'
{
  "name" : "testMyTruststoreV1Ref",
  "refers" : "testMyTruststoreV1",
  "resourceType" : "KeyStore"
}

After this, I uploaded the keystore and the truststore and executed the GET references command written at the top of this comment.

By the way, I registered with the alias name with the suffix "-cert" like below, and 2way-tls worked normally.

curl -v -X POST \
-H "Content-Type: multipart/form-data" \
-F file="@my-service.crt.pem" \
https://api.enterprise.apigee.com/v1/o/<my_org>/environments/test/keystores/testMyTruststoreV2/certs...

It seems that it is necessary to add "-cert" at the end of the alias name in order to recognize that the truststore has a certificate, is this the specification for uploading the truststore?

Unfortunately, even in this case, the truststore is not displayed in New Edge UI's "Environments" > "TLS Keystores". I feel somewhat strange.