mTLS - extract custom fields in Proxy

deniska
Participant V

Hi Team,

Here's an interesting one.

I'm implementing PSD2 Berlin Group (NextGenPSD2) with Apigee.

One of the requirements in flow is the mTLS between incoming Fintech and my API. The communication based on ETSI standard of certificates (ASN.1).

Now, I have the certificate, and it has all relevant regular TLS fields: cn, dn, subject, email etc. I also can see in my Apigee proxy (deployed to mTLS Virtual Host) these variables.

However, I need to pull out also the QC Statements field, which by the documentation, not declared as variable. The problem that I can handle it (theoretically) in the MP level with Java callout and BouncyCastle API, but the actual mTLS happens on Router level and as I can understand only relevant and declared variables reach the MP.

I came across this topic on the forum, router is NGINX in the end, and I thought I can somehow give Router additional directive to send the QC statement also to me. But didn't see any relevant directive, and don't understand what will be the variable in the MP proxy flow?

https://community.apigee.com/articles/39667/how-to-customize-nginx-settings-by-virtualhost.html

Any help here? This is how the certificate looks:

8298-untitled.png

Solved Solved
1 7 622
1 ACCEPTED SOLUTION

Hi

You want to use settings on the Vhost. There are new settings that ask that client TLS cert information be propagated to the MP via context variables. It looks like this:

<VirtualHost name="secure">
    ....
    <SSLInfo>
        <Enabled>true</Enabled>
        <!-- Enable two-way TLS. -->
        <ClientAuthEnabled>true</ClientAuthEnabled>
        <IgnoreValidationErrors>false</IgnoreValidationErrors>
        <KeyAlias>ks-alias</KeyAlias>
        <KeyStore>ref://ks-ref</KeyStore>
        <TrustStore>ref://ts-ref</TrustStore>
    </SSLInfo>
    <PropagateTLSInformation>
        <ConnectionProperties>true</ConnectionProperties>
        <ClientProperties>true</ClientProperties>
    </PropagateTLSInformation>
</VirtualHost>

Then, you will need to use a Java callout (maybe this one) to extract information from the cert. The context variable you want is tls.client.raw.cert . I could imagine caching the data you extract based on the fingerprint (tls.client.cert.fingerprint) so as to avoid the Java parsing for every single API call.

View solution in original post

7 REPLIES 7

Hi

You want to use settings on the Vhost. There are new settings that ask that client TLS cert information be propagated to the MP via context variables. It looks like this:

<VirtualHost name="secure">
    ....
    <SSLInfo>
        <Enabled>true</Enabled>
        <!-- Enable two-way TLS. -->
        <ClientAuthEnabled>true</ClientAuthEnabled>
        <IgnoreValidationErrors>false</IgnoreValidationErrors>
        <KeyAlias>ks-alias</KeyAlias>
        <KeyStore>ref://ks-ref</KeyStore>
        <TrustStore>ref://ts-ref</TrustStore>
    </SSLInfo>
    <PropagateTLSInformation>
        <ConnectionProperties>true</ConnectionProperties>
        <ClientProperties>true</ClientProperties>
    </PropagateTLSInformation>
</VirtualHost>

Then, you will need to use a Java callout (maybe this one) to extract information from the cert. The context variable you want is tls.client.raw.cert . I could imagine caching the data you extract based on the fingerprint (tls.client.cert.fingerprint) so as to avoid the Java parsing for every single API call.

Hi Dino,

Thanks for quick response, your responses always helps.

Yes, Yuriy gave me the callout, but my question is this new feature of Propagate available on Private Cloud, as I'm working with on-premise version.

Once I will have tls.client.raw.cert - I can work with Yuri's callout.

My question is how to actual send PEM to my MP on private cloud?

Cheers;

> how to actual send PEM to my MP on private cloud?

If you have the PropagateTLSInformation feature, and you've configured the vhost correctly, then, the raw cert gets propagated automatically to your MP. It just shows up in that context variable ("tls.client.raw.cert").

If you have OPDK 1901, then you will have this capability.

There is a bug related to this feature (reference: b/120288238), which affects only some TLS clients . We have a fix and expect to release it in patch release 4.19.01.02 .

What is the alternate way for customers <4.19.01?

PropagateTLSInformation is not available in 4.18.05 and looking for some alternate way to get ClientProperties/ConnectionProperties??

An alternative way for OPDK is to use vhost nginx templates as per this community article:

https://community.apigee.com/articles/39667/how-to-customize-nginx-settings-by-virtualhost.html

We did the changes as per the article but where does the variables will be accessible? Didn't see any difference post changes in router.properties.

Can you provide few details as how to access tls variables in 4.18.x?