MTLS (2 way TLS) from Apigee to our enterprise system-SSL Termination Load Balancer

We want to enable MTLS (2 way TLS) from Apigee to our enterprise system

Overall path is

Business Partner/Client <-->Apiee-Cloud <--> ---(MTLS) <--->Our enterprise Firewall <---> Our client Enterprise region LoadBalancer.

Here the MTLS is required to be configured in outbound or Southbond of apigee.

The SSL termination will happen in LoadBalancer (which resides in the southbond direction ie in client enterprise)

Based on link below, understand that following changes will be required for MTLS (Apigee cloud with client region enterprise backend)

https://docs.apigee.com/api-platform/system-administration/about-ssl

1) Would like to know, for Apigee Cloud (Paid customer) for enabling CA certified (Certificate will be provided by raising the Support ticket ? ) what additional information to be indicated to Apigee for raising the Support ticket for MTLS , which will be required during the Virtual host configuration and during our Enterprise Load Balancer configuration.

2)Will have to create Keystore in Apigee (CA Certified) and Virtual host referring using reference configuration than directly referring the Certificate.

3)Configuration of TargetEndpoint with outbound client authentication in Apigee to indicate two way SSL information.

4)SSL termination will happens in Load Balancer, hence what kind of additional configuration is required in Load Balancer (Netscaler). Currently Load Balancer terminates the TLS and we are handling MTLS first time, hence for any handshake or termination (MTLS now) does it need require any additional configuration or set up ? (in case if any one handled this in Netscaler Load Balancer ?)

0 3 2,912
3 REPLIES 3

Hi

1) Would like to know, for Apigee Cloud (Paid customer) for enabling CA certified (Certificate will be provided by raising the Support ticket ? ) what additional information to be indicated to Apigee for raising the Support ticket for MTLS , which will be required during the Virtual host configuration and during our Enterprise Load Balancer configuration.

I don't understand this question. I don't understand the syntax.

You mention a virtual host, and I think you are talking about a southbound connection. When you configure mTLS between Apigee Edge and the southbound (outbound? upstream?) system, you don't use a Virtual Host. Check the docs. The vhost is for inbound connections. The target server is for outbound. You may want to re-read the documentation on TLS within Edge to gain some clarity.

2)Will have to create Keystore in Apigee (CA Certified) and Virtual host referring using reference configuration than directly referring the Certificate.

I don't understand what you mean by "Keystore in Apigee (CA Certified)". I know what a keystore is. I don't know what "(CA Certified)" means. Also, here again you are mentioning a virtual host, when I think you are considering how to connect Apigee Edge to a TARGET system. There is no Apigee Edge virtual host involved in connecting Apigee Edge to a southbound system. Check the documentation.

3)Configuration of TargetEndpoint with outbound client authentication in Apigee to indicate two way SSL information.

Is there a question? There is a page in the Apigee Edge documentation dealing with this. Have you read it?

4) SSL termination will happens in Load Balancer, hence what kind of additional configuration is required in Load Balancer (Netscaler).

I don't know netscaler. But TLS is TLS. Different products use slightly different language, but the principles and mechanisms are all the same. The endpoint at netscaler will need a trust store and a key store. Check the documentation for NetScaler to understand exactly what is necessary. your network operations staff probably already know what is involved.

----

Configuring TLS, especially mutual TLS, can seem tricky at first, but it's really not tricky. There are no tricks. There are lots of details you need to understand and configure, but there are no tricks.

Just be careful, and follow the documentation. The steps are described. There's no sense in me re-phrasing the Apigee Edge documentation here in a response. If there's something about the documentation that seems unclear, or if you are observing some behavior that contradicts the documented expected behavior, please describe that, and someone will try to coach you through it.

The document in Keystore-TrustStore indicates

"For two-way TLS, both the TLS client and the TLS server can use a truststore. A truststore is required when performing two-way TLS when Edge acts as the TLS server."

--> Will require truststore even Edge acts as TLS Client.

TLS/SSL indicates Two way TLS with client and server without trust Store and with optional Trust Store.

If we refer Apigee Edge to backend indicates same scenario of TLS Client and TLS Server and educates that Trust store is part of Handshake means not optional (in similar TLS Client and TLS Server)

Hi, I'm sorry, I'm not understanding what you're asking here.

Is there a question?