Solved: Tls in apigee

HamzaJaffry · 12-31-2024 09:53 AM

Hi guys.

I had a question about a use case. So I wanted to know if its possible to make apigee act as a bridge so that without changing my client and backend. suppose using tls 1.2 on client side i can fulfil the tls 1.3 requirement of my backend side . Provided i dont have to make any changes on them and only on apigee to act as a mediator

Thank you as any help would be appreciated.

dchiesa1

I think you want

the client connects to Apigee with TLS 1.2
Apigee connects to the backend ("upstream") with TLS 1.3

Yes, that is possible. Apigee is an HTTP proxy, there are two TLS connections, one between client and Apigee, one between Apigee and the upstream. You can configure each one differently. Either one can have 1-way or 2-way (mutual) authentication. The keystores and trust stores on each connection can be different.

Provided i dont have to make any changes on them and only on apigee to act as a mediator

We can't say anything about this. You are saying you don't want to make changes, but you haven't described the initial state . Is the client connecting directly to the upstream today?

If the client is connecting to the upstream directly, now, it is using SOMETHING for hostname, TLS version, keystore, truststore. Each of those things is important for TLS (keystore on the client side is important only for mutual TLS). Those things might need to change if you point the client to Apigee , rather than to the upstream. Likewise, if your upstream today is getting a connection from a client, it is validating the TLS with a TLS version, a keystore and maybe a truststore (if 2-way TLS). Those things may need to change if you inject Apigee into the middle.

More information:

How TLS Truststores work in Apigee (hint: no different than in any other system)

More on how TLS keystores and Truststores work.

View solution in original post

dchiesa1

I think you want

the client connects to Apigee with TLS 1.2
Apigee connects to the backend ("upstream") with TLS 1.3

Yes, that is possible. Apigee is an HTTP proxy, there are two TLS connections, one between client and Apigee, one between Apigee and the upstream. You can configure each one differently. Either one can have 1-way or 2-way (mutual) authentication. The keystores and trust stores on each connection can be different.

Provided i dont have to make any changes on them and only on apigee to act as a mediator

We can't say anything about this. You are saying you don't want to make changes, but you haven't described the initial state . Is the client connecting directly to the upstream today?

If the client is connecting to the upstream directly, now, it is using SOMETHING for hostname, TLS version, keystore, truststore. Each of those things is important for TLS (keystore on the client side is important only for mutual TLS). Those things might need to change if you point the client to Apigee , rather than to the upstream. Likewise, if your upstream today is getting a connection from a client, it is validating the TLS with a TLS version, a keystore and maybe a truststore (if 2-way TLS). Those things may need to change if you inject Apigee into the middle.

More information:

How TLS Truststores work in Apigee (hint: no different than in any other system)

More on how TLS keystores and Truststores work.

HamzaJaffry

Thankyou sir, a leading question would be

If I implement TLS 1.2 on this proxy at the base endpoint or enable mutual TLS specifically for this instance using the hostname api.example.com, will it affect other proxies using the same hostname but without TLS? My understanding is that TLS is configured at the hostname level, so would those other proxies also need to use the certificate to communicate? Please correct me if I'm wrong