Client Authentication based on client certificate in One way ssl.

We are trying to attain client certifcate authentication for one of our client , where in while making call to our proxy they will be presenting their certifcate and we will use certifcate to authenticate that calls are coming from specific client .

Can we acheive this with our proxy ?

0 3 689
3 REPLIES 3

Yes. You can achieve this with Apigee Edge.

What you're describing is 2-way TLS. Your question title mentioned "one way SSL". That's not what you're describing in the question text though.

When a client presents a certificate, for use at the transport layer, and connects to a secure server (your API hosted in Apigee Edge), it's 2-way TLS. Check the Apigee Edge documentation for how to set this up.

If this is not what you are talking about, then you will need to elaborate on what you mean by "they will be presenting their certificate" . In what way would the client present a certificate that does not involve 2-way TLS? Be specific and clear.

First of all sorry to posting my question here, because I am not able to ask(post) a new question due to an error(may be an JavaScript error). I feel this question is some what related to my question below

Question: How to configure certificate based authentication to access target or backend API from Apigee(API Proxy).

We a have below scenario

There is a API exists in target(backend), API call are allowed by certificate handshake. In Google Chrome browser we have configured(imported / installed) .pxf certificate(mypersonalcert.pfx) and root certificate .pem(ca-crt.pem) files and it got listed in Manage Certificates "Personal" and "Trusted Root Certification Authorities" tabs.

After that, if I make API for the browser, I can get the API response from the target(backend). How can we configure the same in Apigee Edge Cloud, there is option for upload a .pfx certificate in TLS keystores but how to also upload ca-crt.pem along with it (or it can be uplaoded separately).

Dino-at-Google Could you please let us know, how to configure and make a call from Apigee(API Proxy) and configuration needed at TargetEndpoint(if any). Thanks in advance.

Regards,

Meenakshi Sundar.

Not applicable

What I understand is you want the TLS between Apigee and the backend.

You can have two types of configurations.

If you are using load balancer variable you can configure the keystore, truststore and alias in the target server configuration using management api call.

If you are using url or dynamic target then in the target endpoint protection, inside targethttp connection you can configure those.

You need to upload the pfx certificate or pem file for the keystore and the backend's certificate in the truststore. The certificates of root and intermediate can be uploaded to the truststore separately as pem files.

In keystore, there are couple of options like pem files upload or pfx file upload etc. You can do those.

Ref: https://docs.apigee.com/api-platform/system-administration/configuring-ssl-edge-backend-service