This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Invalid Trust Store | Target | 2 way SSL

Posted on 09-26-2019 08:17 PM
pattanaikjy
New Member
Reply posted on --/--/---- --:-- AM

Hi Everyone,

I am configuring 2way ssl for target backend is apigee. Please find the steps I have followed below

While testing from the TLSKeystore always getting this error-

Error: Invalid Truststore. Unable to find valid certification path to requested target

Note - We are using apigee as SAAS model in google public cloud .

Steps-

1-Apigee is TLS client - backend is 2way SSL

2-Genrated private key using opnssl

3-Shared p10 file with TLS Server

4-Receive p7 file

6-Prepared p12 file out of key and p7 file

7-Created a key store in edge env

8-Created a alias and imported p12

9-Test from TLS Key store is failing - Error: Invalid Truststore. Unable to find valid certification path to requested target

Command used in sequence

$ openssl genrsa -out client.key 2048

$ openssl req -new -key client.key -out $(date '+%Y%m%d').<description>.p10

$ openssl pkcs7 -in file.p7b -inform PEM -out resultat.pem -print_certs

$ openssl pkcs12 -export -inkey client.key -in resultat.pem -name "<your name>" -out finalCert.p12

Thanks,

Patty

0 6 1,070
Topic Labels
0 Likes
6 REPLIES 6

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

I'm sorry you're having trouble.

TLS can be tricky to set up in the best of times.

While you were very explicit about some of the steps you followed, you specifically did not outline how you uploaded the P12 file into the keystore, and how you configured the SSLInfo in your target. And you didn't mention the Truststore at all.

You described the KEYSTORE but not TRUSTSTORE. And if you're doing 2-way TLS, you need both. This is described here.

The keystore identifies the key and the signing cert which provides the identity of the Apigee Edge peer.

The Truststore provides certs that are trusted, for verifying the trust of the identify of the peer (your upstream or "backend")

The error message you cited, "Invalid Truststore. Unable to find valid certification path to requested target", suggests that the problem is in the Truststore, not the keystore.

So I suggest:

Check your SSLInfo.

Check the contents of the truststore you use in the SSLInfo.

0 Likes

Posted on --/--/---- --:-- AM
pattanaikjy
New Member
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

Thank you Dino for reply .

Please find the target connection in proxy .How ever this error is coming when testing from the TLSKeystore . I have created only keystore and alias .Not created any trust store

Environment - > TLSKeyStore -? KeyStorename -> Test [Error: Invalid Truststore. Unable to find valid certification path to requested target]

I have not tested from the proxy since test from the TLSKeystore is failing . Please help me to understand is creation of trust store is mandatory or optional.

Steps to create Key store - in EDGE UI

1- Environment

2- TLSKEyStores

3 + KeyStore - Key storename(myse) -> Add Key store

4- Select created keystore then clicked + alias

5- Alias name(myse-sqe) -> Certificate Selected PKCS12/PFX

6- Chooses finalCert.12 as per the above steps

7- Save

Target Connection code - Not yet tested from proxy since it is failing form TLS key store

       <HTTPTargetConnection>
        <SSLInfo>
            <Enabled>true</Enabled>
            <ClientAuthEnabled>true</ClientAuthEnabled>
            <KeyStore>myse</KeyStore>
            <KeyAlias>myse-sqe</KeyAlias>
        </SSLInfo>
        <LoadBalancer>
            <Server name="MYSE-Server"/>
        </LoadBalancer>
        <Path>{targetPath}</Path>
    </HTTPTargetConnection>

Thanks,

Patty

0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to pattanaikjy
Reply posted on --/--/---- --:-- AM

Hi Patty

sorry for the delay, I'm just seeing this now.

You need a TrustStore element in that SLInfo.

Peer authentication won't work without a TrustStore.

Keystore provides the key + cert to identify THIS peer (Apigee)

Truststore provides the certs to validate THE OTHER SIDE (upstream, your target server)

I think maybe the error is misleading because it says "Invalid Truststore" but really it is "Missing Truststore".

bottom line: You need to specify a Truststore. 

        <SSLInfo>
            <Enabled>true</Enabled>
            <ClientAuthEnabled>true</ClientAuthEnabled>

            <!-- add this -->
            <TrustStore> ? ? ? ? ? </TrustStore>

            <KeyStore>myse</KeyStore>
            <KeyAlias>myse-sqe</KeyAlias>
        </SSLInfo>
0 Likes

Posted on --/--/---- --:-- AM
pattanaikjy
New Member
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

Hi Dino,

I have added trust store but still can not connect to target server.Need you insight on what should be imported to trust store and what should go to key store.

All I have is p12 file received from the target server.

Thanks,

Dwiti

0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to pattanaikjy
Reply posted on --/--/---- --:-- AM

Hi Dwiti

Configuration instructions for 2-way TLS including how to configure the KeyStore and Truststore is described here.

0 Likes

Posted on --/--/---- --:-- AM
gaurav_bhandari
New Member
In response to pattanaikjy
Reply posted on --/--/---- --:-- AM

Hi @pattysap ,

You should also use references instead of directly pointing the Keystore/Truststore name.

This will ensure that when you are renewing the certificate, there wont be any outages.

Thanks and Regards,

Gaurav Bhandari

0 Likes