Encryption-Decryption in APIGEE

When we get an encrypted request to our APIGEE API Proxy ,and we want APIGEE proxy to decrypt it before letting it to reach backend,should I have to think about SSL so that Encryption-Decryption happens through keys in certificates for such requirement? Or We have to randomly create keys as we get AESEncryptionDecryption java programs and use Java callout in APIGEE policy? Or is there any other better design solutions?

0 2 2,412
2 REPLIES 2

kctreacy
Participant I

You need to think about encryption at two-levels: 1) transport-level encryption and 2) data or message-level encryption.

In most scenarios only transport-level security is used. In that scenario the data/message is only encrypted while in transit on-the-wire. This is provided by HTTPS (TLS/SSL). When the HTTPS connection is terminated the message is then available as "clear text". So when the message hits your proxy it has already been decrypted. If your proxy then accesses a target back-end using HTTPS it is then encrypted again. All of this happens for you and you don't have to do anything explicitly in your proxy.

If however, your client is explicitly encrypting the message contents before it sends to the HTTPS endpoint hosting your proxy, which is less common, then the contents of the message need to be decrypted in your proxy if you need to work with / access the message in your proxy. Likely you would need to use a custom Java callout for that scenario to handle the decryption of the message in your proxy

BTW if you're looking for AES crypto, there's an example callout for that.

https://github.com/DinoChiesa/ApigeeEdge-CustomPolicy-AesCrypto

Alternatively if you're doing XML encryption, there's a callout for that.

https://github.com/DinoChiesa/ApigeeEdge-Java-XmlCipher