How to I establish a trust relationship between the API Gateway / Proxy and the API Provider?

Not applicable

I have a proxy that authenticates against ADFS where the API Gateway validates that JWT and calls the API provider. I want the backend call to have a trust relationship. How do I do that?

Solved Solved
0 6 733
1 ACCEPTED SOLUTION

hi John

I'm not clear on what problem you're seeing. You wan the backend to "have a trust relationship" . What does that mean?

For transport-level security, You can enforce TLS on the southbound connection. This is set in the HTTPTargetConnection configuration. The relevant documentation is here: https://docs.apigee.com/api-platform/system-administration/configuring-ssl-edge-backend-service

You should include a stanza like this:

<TargetEndpoint name="default">
 …
 <HTTPTargetConnection>
   <SSLInfo>
       <Enabled>true</Enabled>
       <TrustStore>ref://myTrustStoreRef</TrustStore>
   </SSLInfo>
   <URL>https://myservice.com</URL>
 </HTTPTargetConnection>
 …
</TargetEndpoint>

And you must create that TrustStore reference , and the truststore it refers to. (sorry)

And then of course embed your CA chain into the TrustStore.

If you want 2-way TLS, then you need to upload a key and also specify a KeyStore there.

If you want something based on the JWT, that is a different matter.

View solution in original post

6 REPLIES 6

Not applicable

I am using the free Cloud Edge. I tried to upload a certificate but it is giving me an Java IO error saying it is to big.

can you be more specific about exactly what you tried , how you tried it, what commands you typed, and what results you saw? Be super specific.

hi John

I'm not clear on what problem you're seeing. You wan the backend to "have a trust relationship" . What does that mean?

For transport-level security, You can enforce TLS on the southbound connection. This is set in the HTTPTargetConnection configuration. The relevant documentation is here: https://docs.apigee.com/api-platform/system-administration/configuring-ssl-edge-backend-service

You should include a stanza like this:

<TargetEndpoint name="default">
 …
 <HTTPTargetConnection>
   <SSLInfo>
       <Enabled>true</Enabled>
       <TrustStore>ref://myTrustStoreRef</TrustStore>
   </SSLInfo>
   <URL>https://myservice.com</URL>
 </HTTPTargetConnection>
 …
</TargetEndpoint>

And you must create that TrustStore reference , and the truststore it refers to. (sorry)

And then of course embed your CA chain into the TrustStore.

If you want 2-way TLS, then you need to upload a key and also specify a KeyStore there.

If you want something based on the JWT, that is a different matter.

Not applicable

Your response cleared everything up.

The real question now is what is the best practice. I have a requirement to authenticate against an external IdP (ADFS) using OpenID and have Apigee verify that access token created by ADFS. Once that is verified call out to the API provider. What is the best practice for this scenario?

Also I have read the following:

"Apigee doesn’t have out of the box support for JWT token generation or validation."

Is this true?

John, I have posted your new question to a new question.