2 Way TLS Setup between API Proxy and Backend Target with multiple Client Certificates

Hello Everyone, I'm new to Apigee and am trying to setup the following.

I have one API Proxy which is passing through requests to a backend target which is using Client Certificates to authenticate the user executing the call.

The Proxy will be used by multiple users, each one having their own credentials and personal client certificate and all pointing to the same target endpoint.

I have configured a Proxy, with a Target Endpoint pointing toward the endpoint.

On the Endpoint I have configured the following:

<HTTPTargetConnection>         
<Properties/>         
<SSLInfo>             
<Enabled>true</Enabled>             
	<ClientAuthEnabled>true</ClientAuthEnabled>
        <KeyStore>xxx-int-certs2</KeyStore>             
	<KeyAlias>xxx-int-tomtest</KeyAlias>             
	<TrustStore>xxx-int-root</TrustStore>         
</SSLInfo>         
<URL>https://xxxxx.yyyyyyy.zzzzzz.eu/enpoint</URL>     
</HTTPTargetConnection>

An this works fine for one user.

However, if I try to configure a second certificate for a different user, it does not work. I tried creating a second Key Alias under the same KeyStore, and creating a second Keystore with another single Alias in it, but still not working, therefore I presume I have to implement some sort of conditional logic, selecting the certificate according to the user connecting.

I guess I can get the decrypted username connecting using a BasicAuthentication Policy, however, is there any recommendations on how/where to setup the logic to select the certificate to be used? Or is there any other way to get this to work in a more efficient way?

Thank you to anyone for all your help.

Tommaso

0 5 1,036
5 REPLIES 5

That's unusual.

Your Apigee southbound peer is going to use a different Private Key (= different identity) depending on the inbound client request.

That seems unusual to me, since TLS is intended to be peer-to-peer, and the peer is not changing.

Client -> Apigee -> Upstream

There are multiple distinct Clients connecting to Apigee .

I can understand why you might want 2-way TLS with each client presenting a different Key+Cert.

But Apigee-> Upstream remains the same. It's always Apigee, and always the same upstream (it seems). That's why it seems odd that you'd want the Key+Cert used on that peer-to-peer connection to vary.

Regardless, per the doc, you can use references for the relevant elements within SSLInfo.

So you could do

<SSLInfo>
  <Enabled>true</Enabled>
  <ClientAuthEnabled>true</ClientAuthEnabled>
  <KeyStore>{variable-containing-keystore-ref}</KeyStore>
  <KeyAlias>{var-containing-key-alias}</KeyAlias>
  <TrustStore>{var-containing-truststore-ref}</TrustStore>
  <IgnoreValidationErrors>false</IgnoreValidationErrors>
</SSLInfo>

And yes, then you'd need some logic to SET those variables, somewhere in the target request flow, or prior. And of course at configuration time, you need to configure the various keystores, keyaliases, and truststores for your needs.

---

But I'm still interested in understanding more about this part:

The Proxy will be used by multiple users, each one having their own credentials and personal client certificate and all pointing to the same target endpoint.

And how you get from that ^^ to needing to change the key+cert that Apigee uses. Clients use their own certs, that doesn't mean Apigee needs to modify its cert.

First of all thank you very much for the answer, and for the suggestion on how to set references to be managed using a logic. I will try this.

Regarding your question, as I said I'm really new to apigee and API management (started 3 days ago!) therefore it can be that I am missing something, and/or I am doing something wrong! 🙂

From what I can see, if I don't specify a Keystore in the target config, I cannot use <ClienthAuthEnabled>.

And if I don't specify this option, my incoming request (even if in Postman I am using the client certificate) is being passed to the endpoint without the client certificate (I get a 403 Error, which I get when the certificate is not passed) and I cannot communicate with the target.

Please let me know if I am doing something wrong or if I have misunderstood something, and thank you again for the help.

Hi @Tommaso Paci,

As Dino pointed out, the flow at apigee is

Consumer -> APIGEE -> Provider (target)

The 2way TLS handshake can happen at two places ie

1. Consumer(Client) to APIGEE(Server)

2. Apigee(Client)to Provider(Server)

Now, when the 2way handshake happends between APIGEE and Provider, APIGEE is acting as a client and hence Consumer certificates are no where in the picture.

For your use case,. you should have two way set up done from COnsumer to APIGEE where each consumer will have different certificates and these certificates will be installed at APIGEE Truststore.

For two way from APIGEE to provider, Provider can just confirm if using 2way tls that the request are coming from APIGEE.

Also, note that APIGEE is used as it is acting as security layer and hence this logic must be used from Consumer to APIGEE.

Hello gbhandari,

let me thank you as well for the help and the explanations. I'm learning a lot from these questions.

So to explain the way I'm currently setting up Apigee is the following:

- Consumer (has some credentials + client certificate provided by the Provider(server). Each Consumer has its own certificate + credentials);

- Apigee (we);

- Provider (they are the one currently managing Credentials and certificates. The provide credentials and certificates to each customer).

I understand that this is not the "best" way to implement apigee, but for the time being we would like to set it up like this as we need to initially "adapt" apigee to the existing infrastructure, and changing all credentials + certificates (to let apigee authorize access to resources) would be too much to ask to our customers (as I said at least in the short term).

What I'm trying to make here is a pass-through mode, where the Consumer does its Rest Call providing Credentials and Certificate and Apigee "forwards" this request to the Provider.

This somehow is only (at least from what I could find) working if I upload the client certificates to an Apigee Keystore (one per customer), and then for each incoming request, use the appropriate certificate store.

This works fine, I also implemented the Reference logic proposed by Dino (thank you Dino it works fine), however, I need to upload all certificates on apigee, and is not the maximum (especially regarding security).

Is there any way that I do not need to upload the certificates to Apigee, and that Apigee also forwards the certificate when an incoming call comes from the Consumer?

Please accept my apology if this question is not clear or if it does not make any sense.

Thank you all for the time.

Tommaso

Hi Tommaso Paci ,

I do not think it is possible to send the consumer certs directly to provider as 2way TLS will happen between Consumer and APIGEE.