This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

how to enable mutual SSL authentication for inbound to APigee

Posted on 05-13-2019 02:41 AM
shivakumarsudin
New Member
Reply posted on --/--/---- --:-- AM

Hi,

We are implementing mutual SSL authentication for inbound calls to APigee. The client certificates can be issued by multiple CAs, so we can't add just one CA. How to add multiple CAs to trust all the client certificate?

Thanks

Shiv

Solved Solved
0 3 1,427
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
ylesyuk
New Member
Reply posted on --/--/---- --:-- AM

Easy to accomplish using Management API

1. Create a truststore you will use for your VHost configuration.

curl -i -u "$USERNAME::$PASSWORD" -n -H "Content-Type: text/xml"  -d '<KeyStore name="truststorewithmanycacertficates"/>' https://api.enterprise.apigee.com/v1/o/$ORG/environments/$ENV/keystores

2. Keep adding CA trust certificates to the truststore ad nauseam.

# repeat for each cert-<x>
curl -i -u "$USERNAME:$PASSWORD" -n -H "Content-Type: multipart/form-data" -F certFile="@cert-2.pem" "https://api.enterprise.apigee.com/v1/o/$ORG/environments/$ENV/keystores/truststorewithmanycacertficates/aliases?alias=cert-<x>&format=keycertfile"

3. Validate the list of certificate aliases

curl  -i -u "$USERNAME:$PASSWORD" -n https://api.enterprise.apigee.com/v1/o/$ORG/environments/$ENV/keystores/truststorewithmanycacertfica...

4. Refer to it in the VHOST configuration that enables and configure mTLS

curl -i -u "$USERNAME:$PASSWORD"-n -H "Content-Type: application/json"  https://api.enterprise.apigee.com/v1/o/$ORG/environments/$ENV/virtualhosts -d ‘{
  "name": "exco-vhost",
  "hostAliases": ["exco-test.apigee.net"],
  "port": "443",
  "ocspStapling" : "off",
  "baseUrl" : "https://api.exco.com",
  "SSLInfo": { 
    "enabled": true,    
      "keyStore": "freetrial", 
      "keyAlias": "freetrial", 
    "clientAuthEnabled": true,
    "trustStore": "truststorewithmanycacertficates"
    },
  "propagateTLSInformation" : {
    "clientProperties" : false,
    "connectionProperties" : false
  }
}'

See for details: https://docs.apigee.com/api-platform/system-administration/creating-keystores-and-truststore-cloud-u...

View solution in original post

Jump to Solution
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
ylesyuk
New Member
Reply posted on --/--/---- --:-- AM

Easy to accomplish using Management API

1. Create a truststore you will use for your VHost configuration.

curl -i -u "$USERNAME::$PASSWORD" -n -H "Content-Type: text/xml"  -d '<KeyStore name="truststorewithmanycacertficates"/>' https://api.enterprise.apigee.com/v1/o/$ORG/environments/$ENV/keystores

2. Keep adding CA trust certificates to the truststore ad nauseam.

# repeat for each cert-<x>
curl -i -u "$USERNAME:$PASSWORD" -n -H "Content-Type: multipart/form-data" -F certFile="@cert-2.pem" "https://api.enterprise.apigee.com/v1/o/$ORG/environments/$ENV/keystores/truststorewithmanycacertficates/aliases?alias=cert-<x>&format=keycertfile"

3. Validate the list of certificate aliases

curl  -i -u "$USERNAME:$PASSWORD" -n https://api.enterprise.apigee.com/v1/o/$ORG/environments/$ENV/keystores/truststorewithmanycacertfica...

4. Refer to it in the VHOST configuration that enables and configure mTLS

curl -i -u "$USERNAME:$PASSWORD"-n -H "Content-Type: application/json"  https://api.enterprise.apigee.com/v1/o/$ORG/environments/$ENV/virtualhosts -d ‘{
  "name": "exco-vhost",
  "hostAliases": ["exco-test.apigee.net"],
  "port": "443",
  "ocspStapling" : "off",
  "baseUrl" : "https://api.exco.com",
  "SSLInfo": { 
    "enabled": true,    
      "keyStore": "freetrial", 
      "keyAlias": "freetrial", 
    "clientAuthEnabled": true,
    "trustStore": "truststorewithmanycacertficates"
    },
  "propagateTLSInformation" : {
    "clientProperties" : false,
    "connectionProperties" : false
  }
}'

See for details: https://docs.apigee.com/api-platform/system-administration/creating-keystores-and-truststore-cloud-u...

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
gunjanarora001
New Member
In response to ylesyuk
Reply posted on --/--/---- --:-- AM

Better to use a reference to the truststore to avoid restart of routers when certificates are changed.

However, note that when a new certificate is added, even with a reference, a restart is required.

https://docs.apigee.com/api-platform/system-administration/working-references

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
gunjanarora001
New Member
Reply posted on --/--/---- --:-- AM

I am currently working on the same problem statement, however adding new certificates requires restarting the router each time.

A better approach we are considering right now is to have clients send us CSRs which we use to generate certs for them. The root is obviously already added to trust store

Jump to Solution
0 Likes