Mutual TLS setup not introducing any changes

Not applicable

Hi,

We're using Edge SaaS and I wanted to set up the mutual TLS for one endpoint. In order to do this I wanted to create a toy example:

I have created two keystores: one with self-signed server certificate and key (keystore), and one with only a client certificate signed by the server certificate (truststore).

I have created references to these keystores and then created a new virtual host which has client authorisation switched on and uses the references to keystore and truststore mentioned previously.

Then I have created a simple "no route", unauthenticated proxy which should return a simple json response but which uses the new virtual host, so I assume that the access to this endpoint should still be restricted only to clients with a proper certificate.

Nevertheless, when I call the endpoint without any client certificates provided I receive a json response, while I expect to receive some kind of TLS error. Could anyone lead me towards the working example?

Thanks!

Edit: I have noticed that even though the virtual host is set up to be using keystore and targetstore that I have created, when I call it it returns the default, "freetrial" certificate issued by GoDaddy. It seems that the "Keystore" setting of virtual host is not taken into account at all. Does anyone know to fix this issue?

Here's the proxy setup:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ProxyEndpoint name="default">
    <PostFlow name="PostFlow">
        <Request/>
        <Response>
            <Step>
                <Name>AM.ReturnTLSVariables</Name>
            </Step>
        </Response>
    </PostFlow>
    <HTTPProxyConnection>
        <BasePath>/two-way-tls-test</BasePath>
        <VirtualHost>secure2way</VirtualHost>
    </HTTPProxyConnection>
    <RouteRule name="noroute"/>
</ProxyEndpoint>

AM.ReturnTLSVariables policy sets the following JSON payload:

<Payload contentType="application/json">
            {
                "tls.cipher": "{tls.cipher}",
                "tls.protocol": "{tls.protocol}",
                "tls.server.name": "{tls.server.name}",
                "tls.session.id": "{tls.session.id}",
                "tls.client.s.dn": "{tls.client.s.dn}",
                "tls.client.i.dn": "{tls.client.i.dn}",
                "tls.client.raw.cert": "{tls.client.raw.cert}",
                "tls.client.cert.serial": "{tls.client.cert.serial}",
                "tls.client.cert.fingerprint": "{tls.client.cert.fingerprint}",
                "tls.session.id": "{tls.session.id}"
            }
</Payload>

Settings of Virtual Host:

{
  "hostAliases": [
    "{org}-{env}.apigee.net"
  ],
  "interfaces": [],
  "listenOptions": [],
  "name": "secure2way",
  "port": "443",
  "propagateTLSInformation": {
    "clientProperties": true,
    "connectionProperties": true
  },
  "retryOptions": [],
  "sSLInfo": {
    "ciphers": [],
    "clientAuthEnabled": "true",
    "enabled": "true",
    "ignoreValidationErrors": false,
    "keyAlias": "root_cert",
    "keyStore": "ref://two_way_tls_keystore_reference",
    "protocols": [],
    "trustStore": "ref://two_way_tls_truststore_reference"
  }
}

This is what I get as a response (without specifying any client certificates within a request):

{
	"tls.cipher": "",
	"tls.protocol": "",
	"tls.server.name": "",
	"tls.session.id": "",
	"tls.client.s.dn": "",
	"tls.client.i.dn": "",
	"tls.client.raw.cert": "",
	"tls.client.cert.serial": "",
	"tls.client.cert.fingerprint": "",
	"tls.session.id": ""
}
2 5 311
5 REPLIES 5

Hi there

If you are keeping *.apigee.net as the host alias, you should stick with the "freetrial" keystore and keyalias.

Use a curl command like this to upload the cert into an alias in a keystore.

curl -X POST \
  'https://api.enterprise.apigee.com/v1/organizations/{org}/environments/{env}/keystores/{keystore-name}/aliases?alias=test-ca&format=keycertfile' \
  -H 'Authorization: Basic abcd' \
  -H 'content-type: multipart/form-data \
  -F certFile=@ca.crt

Once this is uploaded, modify the vhost to have sSLInfo section to be like:

"sSLInfo": {
        "ciphers": [],
        "clientAuthEnabled": "true",
        "enabled": "true",
        "ignoreValidationErrors": false,
        "keyAlias": "freetrial",
        "keyStore": "freetrial",
        "protocols": [],
        "trustStore": "{keystore-name}"
    }

Thank you for your response.

I just have one more question, just to make it clear - you say that truststores shouldn't have references, but this page gives an example where truststore actually uses reference: https://docs.apigee.com/api-platform/fundamentals/configuring-virtual-hosts-cloud#definingavirtualho...

What is the preferred way of configuring truststores in virtual hosts then?

You are right. They both have references and references are the preferred option. I will update my answer.

Can you update here with the solution for your case so future readers may benefit please?

Thanks for your response.

It turned out that you cannot have one proxy on virtual host A with client certificates enabled and another proxy on virtual host B without client certificates enabled using the same host alias. The workaround is to get a new host alias and set up the virtual host to use it.

Yes, that's right. Thanks a lot for updating here with your solution.