This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Not able to access the tls information in the policy

Posted Thursday
SanalNaroor
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

I have added the propagatetlsinformation section  to my virtualhost in Apigee.

{
  ...
  "sSLInfo": {
    "ciphers": [

    ],
    "clientAuthEnabled": "true",
    "enabled": "true",
    "ignoreValidationErrors": false,
    "keyAlias": "test",
    "keyStore": "ref://tls",
    "protocols": [

    ],
    "trustStore": "ref://tlsTrust"
  },
  "PropagateTLSInformation": {
    "ConnectionProperties": "true",
    "ClientProperties":  "true"
  }
 }

Based on Accessing TLS connection information in an API proxy  |  Apigee Edge  |  Apigee Docs , PropagateTLSInformation section in the virtualhost facilitate the propagation of TLS information.

I am trying to access tls.client.s.dn in a policy. 

<Step>
<Name>RF-CertCheck</Name>
<Condition>tls.client.s.dn != "Certificate"</Condition>
</Step>

I also tried using X-Apigee.tls.client.s.dn, still did not get any value.

I would really appreciate any input on how to access the tls information in a policy

0 2 86
Topic Labels
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
ssvaidyanathan
Staff
Reply posted on --/--/---- --:-- AM

This looks like a duplicate post. Lets discuss this on the other post please

0 Likes

Posted on --/--/---- --:-- AM
a_aleinikov
Silver 3
Silver 3
Reply posted on --/--/---- --:-- AM

Hi @SanalNaroor ,

You’re correct that adding PropagateTLSInformation in the virtual host allows Apigee to pass TLS details. But note: this only works when:
– You’re using mutual TLS (mTLS) and
– The client is presenting a valid certificate at the Apigee edge.

To access tls.client.s.dn in policies:
– You should reference it directly as tls.client.s.dn in your conditions (no X-Apigee. prefix).
– Make sure the client is actually providing the certificate; otherwise, the variables will be empty.

 Debug tip:
– Enable debug sessions in the Apigee trace tool and look under the variables section → check if tls.client.* values appear.
– If they are missing, confirm that:
– The virtual host is configured for clientAuthEnabled: true.
– The trust store contains the correct CA certs.
– The client is indeed sending a client certificate.

Top Solution Authors
View all