Configure 2-way TLS in Edge

Hi All,

I am trying to setup 2-way TLS connectivity between my on-prem (v4.18.01) DEV (as client) and SIT (as server) environments. Have created virtual host in SIT (server) with the respective keystore/alias (key & pem files) and also defined a trustore by adding DEV (client) pem file. Similarly have created a target server in DEV (client) with respective keystore/alias (key & pem files) and also defined a trustore by adding SIT (server) pem file. But I am getting an error "400 no required ssl certificate was sent" when I try to invoke SIT API endpoint from DEV environment. As per tcpdump file, client has sent hello message and received server certificate but then client is not sending it's certificate to server and could see a failure. Did I miss any step in DEV (client) to send it's certificate to server as part of hand shake? Have also tried adding ROOT also to keystore but no use. any help would be greatly appreciated.

0 4 416
4 REPLIES 4

Please show the SSLInfo for the DEV (TargetServer / client).

For 2-way TLS, The SSLInfo should have ClientAuthEnabled. Do you have that?

From the documentation:

<SSLInfo>      
  <Enabled>true</Enabled>      
  <ClientAuthEnabled>true</ClientAuthEnabled>      
  <KeyStore>ref://myKeyStoreRef</KeyStore>
  <TrustStore>ref://myTrustStoreRef</TrustStore>     
  <KeyAlias>myKey</KeyAlias>    
</SSLInfo>

@Dino-at-Google, PFB DEV (Client)/ SIT (Server) side configuration.

DEV (Client):

<HTTPTargetConnection>
        <Properties/>
        <SSLInfo>
            <Enabled>true</Enabled>
            <ClientAuthEnabled>true</ClientAuthEnabled>
            <KeyStore>dev2wayTLSkeystore</KeyStore>
            <KeyAlias>dev2wayTLSkey</KeyAlias>
            <TrustStore>ref://DEVTrustStoreRef</TrustStore>
        </SSLInfo>
        <URL>https://dummy-domail-url/sanityCheckTest</URL>
        <!--<LoadBalancer>
            <Server name="2wayTLS"/>
        </LoadBalancer>
        <Path>/sanityCheckTest</Path>-->
    </HTTPTargetConnection>

SIT (Server - VirtualHost):

{
  "hostAliases" : [ "dummy-domain-url" ],
  "name" : "2wayTLS",
  "port" : "1234",
  "sSLInfo" : {
    "clientAuthEnabled" : "true",
    "enabled" : "true",
    "ignoreValidationErrors" : false,
    "keyAlias" : "sitkey",
    "keyStore" : "sitkeystore",
    "trustStore" : "ref://QATrustStoreRef"
  }
}

As per the tcpdump, server is responding to the client with it's certificate but not requesting client's certificate. Am I missing any setting?

8214-untitled1.png

robert
Participant V

Hey @Mahammad Feroz. Is the server OPDK as well? Either way, I suggest trying to get the northbound working first. So, create a simple proxy that is a GET and returns simple "hello world" in the body. Then use a browser to call to edge and check if the server cert is looking correct there. Here's some steps on how to view certs from various browsers.

Once the above is confirmed, I suggest using postman as the client and have it send the client cert to Edge virtual host. Here's a link to using certs with postman.

Once you verify the server is sending the correct server cert AND that you are able to send the client cert from postman, all you have left is to configure the target server to send the same client cert.

Also, do you have anything in front of Edge server like a load balancer that might be terminating TLS? If so, take it out of the equation (if possible). Check the VH restrictions here: Restrictions using Refs for keystores and trust-stores

Also, your server side VH isn't using a reference. Change that to use a reference but you may need to restart your RMP as described here. I would probably just create a new virtual host and go from there using references for the keystore and truststore..

Hope this info helps! Try out these suggestions and let us know if you got it working!