This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Apigee X: 2 Way SSL Authentication for API proxies

Posted on 01-22-2025 02:11 AM
LuckyEK
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Objective: I want to set up MTLS for our API proxies so API consumers can connect via our APIs on Apigee X.

From my research in different forums and docs, we understand that MTLS  Northbound for Apigee X must be handled at the Load balancer (strict or lenient mode).

To restrict certain partners and validate we must manage their certificates on our platform, also I do not want to allow any self-sign certificate and only allow public CAs' certs

Questions:

  1. Where can we manage different API consumer certificates (in the trust config's allowList certificate or Apigee KVM)?
  2. Do we need to add an intermediate certificate for the API consumers?
  3. How can we validate if the cert exists before allowing users to call the API proxies, can this be done at the proxy level or LB
  4. If at the proxy level, what policies shall we use to extract SSL info and ensure it is not expired or from invalid Certs?

This is a POC project for my knowledge of how apigeeX works with MTLS client authentication

Solved Solved
0 6 374
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
hartmann
Staff
Reply posted on --/--/---- --:-- AM

Hello,

As you mentioned, most of the mTLS orchestration is typically handled via Load Balancer before the inbound service reaches Apigee. The following documentation (noted here: https://medium.com/google-cloud/configuring-mtls-for-apigee-x-northbound-traffic-using-global-https-...) explains how to set up the differing layers of the orchestration incredibly well. As per your questions/concerns:

1. Managing certificates would be performed at the Load Balancer layer via TrustConfig (as noted in the above documentation). The only scenario I have seen where Apigee could be utilized is in a passthrough scenario where you require added validation for the given certificate (serial number, etc). In the above, you could pass through the certificate to Apigee, and Apigee could check the inbound information via KVM (extract key/value pair from KVM and compare/contrast incoming versus trusted). This is not incredibly common, but could be supported given the following: https://cloud.google.com/load-balancing/docs/https/setting-up-mtls-ccm#add-custom-header

2. This would be dependent on your implementation/validation via mTLS, both are supported at the Load Balancer layer

3. This would still be evaluated at the LB as well

4. If anything needs to be evaluated at the proxy level (more uncommon) it would be something along the lines of what was noted above (evaluating the pass through headers with "trusted" certificates stored via KVM)

Thanks!

View solution in original post

Jump to Solution
6 REPLIES 6