This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Need Client certificate details for two way from consumer to Apigee

Posted on 05-18-2020 03:54 AM
gaurav_bhandari
New Member
Reply posted on --/--/---- --:-- AM

Hi All,

There is a flow variable client.cn. This flow variable has client dn details.

Will the value of this flow variable available even if we do not set the below property at VHOST level.

  <PropagateTLSInformation>
    <ConnectionProperties>true</ConnectionProperties>
    <ClientProperties>true</ClientProperties>
  </PropagateTLSInformation>

Also, if we set the above property, i do see that there are many other flow variables populating for two way TLS.

https://docs.apigee.com/api-platform/system-administration/tls-vars

Will this have any performance impact if we enable these property.

Thanks and Regards,

Gaurav Bhandari

1 3 231
Topic Labels
3 REPLIES 3

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Will the value of this flow variable available even if we do not set the below property at VHOST level.

Yes

Will this have any performance impact if we enable these property.

Yes. The degree of impact is not clear. Think of it this way: when you use that VHost configuration (PropagateTLSInformation), the information about the TLS connection and client certificate get propagated to the Apigee Message Processor. This means the information is transmitted on a network and is then stored in memory. This will have an impact.

Will the impact be significant? That is a different question, and the answer is not fixed. There is no way to know without testing it in your system.

For lower request rates (Maybe 100 TPS or below), I suppose the impact will be negligible. Probably the dominant cost in a mutual-TLS scenario will be validating the inbound client certificates. My guess is that extracting and propagating the information after validation will have less of an impact, relatively speaking. But I haven't tested this.

For higher TPS, it's not certain. The memory consumed to store all this information for the duration of each request will grow, and that means pressure on memory management in the Message Processor.

You'll have to test it.

0 Likes

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

In my tests, I had noticed there is an almost 5-8ms delay in https call than an Http call. The values are with respect to my results, it can change with your network speed, firewall, DNS, LB, cpu and memory.

Similarly, I found 2-4ms difference between one way and two-way TLS. So, obviously there is a performance impact. Other than that the extra variables will have more impact on your message processor cpu/memory utilization when the TPS will increase.

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to
Reply posted on --/--/---- --:-- AM

This is an older thread but I wanted to add some clarifying commentary.

Yes, there will be an impact for 2-way TLS, as compared to 1-way TLS, and thank you for contributing your observations.  The original question above was, will there be a performance impact when comparing a Vhost enabled 2-way TLS with and without PropagateTLSInformation?  I would guess that the difference will be less than 2ms, but I haven't measured it at scale. 

0 Likes