Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.

Apigee X: 2 Way SSL Authentication for API proxies

Objective: I want to set up MTLS for our API proxies so API consumers can connect via our APIs on Apigee X.

From my research in different forums and docs, we understand that MTLS  Northbound for Apigee X must be handled at the Load balancer (strict or lenient mode).

To restrict certain partners and validate we must manage their certificates on our platform, also I do not want to allow any self-sign certificate and only allow public CAs' certs

Questions:

  1. Where can we manage different API consumer certificates (in the trust config's allowList certificate or Apigee KVM)?
  2. Do we need to add an intermediate certificate for the API consumers?
  3. How can we validate if the cert exists before allowing users to call the API proxies, can this be done at the proxy level or LB
  4. If at the proxy level, what policies shall we use to extract SSL info and ensure it is not expired or from invalid Certs?

This is a POC project for my knowledge of how apigeeX works with MTLS client authentication

Solved Solved
0 6 326
1 ACCEPTED SOLUTION

Hello,

As you mentioned, most of the mTLS orchestration is typically handled via Load Balancer before the inbound service reaches Apigee. The following documentation (noted here: https://medium.com/google-cloud/configuring-mtls-for-apigee-x-northbound-traffic-using-global-https-...) explains how to set up the differing layers of the orchestration incredibly well. As per your questions/concerns:

1. Managing certificates would be performed at the Load Balancer layer via TrustConfig (as noted in the above documentation). The only scenario I have seen where Apigee could be utilized is in a passthrough scenario where you require added validation for the given certificate (serial number, etc). In the above, you could pass through the certificate to Apigee, and Apigee could check the inbound information via KVM (extract key/value pair from KVM and compare/contrast incoming versus trusted). This is not incredibly common, but could be supported given the following: https://cloud.google.com/load-balancing/docs/https/setting-up-mtls-ccm#add-custom-header

2. This would be dependent on your implementation/validation via mTLS, both are supported at the Load Balancer layer

3. This would still be evaluated at the LB as well

4. If anything needs to be evaluated at the proxy level (more uncommon) it would be something along the lines of what was noted above (evaluating the pass through headers with "trusted" certificates stored via KVM)

Thanks!

View solution in original post

6 REPLIES 6