Solved: Re: Two-way TLS on target doesn't work with flow v...

AndreCipriano · 03-19-2025 07:34 AM

Hi there,

I'm trying to connect my proxy to a target endpoint which requires Two-way TLS. I went to "Management -> Environments", selected my environemnt and on the TLS Keystores tab I imported my .p12 file and gave an alias.

Then, on the Target Servers tab, I clicked on the edit for my target server configuration and added this keystore and selected the alias. This works just fine and my proxy can communicate with the backend server.

But I wanted to use flow variables on the target flow instead of this manual configuration:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AssignMessage async="false" continueOnError="false" enabled="true" name="AM-SSLConnect">
  <DisplayName>AM-SSLConnect</DisplayName>
  <Properties/>
  <AssignVariable>
    <Name>myvars.ssl.enabled</Name>
    <Value>true</Value>
  </AssignVariable>
  <AssignVariable>
    <Name>myvars.ssl.client.auth.enabled</Name>
    <Value>true</Value>
  </AssignVariable>
  <AssignVariable>
    <Name>myvars.ssl.keystore</Name>
    <Value>my_keystore</Value>
  </AssignVariable>
  <AssignVariable>
    <Name>myvars.ssl.keyAlias</Name>
    <Value>my_alias</Value>
  </AssignVariable>
  <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
  <AssignTo createNew="false" transport="http" type="request"/>
</AssignMessage>

I add this on the pre flow step. Unfortunately, I receive a Handshake failure.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TargetEndpoint name="default">
  <PreFlow name="PreFlow">
    <Request>
      <Step>
        <Name>AM-SSLConnect</Name>
      </Step>
    </Request>
  </PreFlow>
  <HTTPTargetConnection>
    <LoadBalancer>
      <Server name="my_target_server"/>
    </LoadBalancer>
    <Path>/path/...</Path>
    <SSLInfo>
      <Enabled>{myvars.ssl.enabled}</Enabled>
      <ClientAuthEnabled>{myvars.ssl.client.auth.enabled}</ClientAuthEnabled>
      <KeyStore>{myvars.ssl.keystore}</KeyStore>
      <KeyAlias>{myvars.ssl.keyAlias}</KeyAlias>
    </SSLInfo>
  </HTTPTargetConnection>
</TargetEndpoint>

Can someone point to me what is missing?

{
    "fault": {
        "faultstring": "SSL Handshake failed null",
        "detail": {
            "errorcode": "messaging.adaptors.http.flow.SslHandshakeFailed"
        }
    }
}

nmarkevich

Hey @AndreCipriano , you are mixing up two different things - TargetEndpoint TLS configuration and Target Servers.

This part

    <SSLInfo>
      <Enabled>{myvars.ssl.enabled}</Enabled>
      <ClientAuthEnabled>{myvars.ssl.client.auth.enabled}</ClientAuthEnabled>
      <KeyStore>{myvars.ssl.keystore}</KeyStore>
      <KeyAlias>{myvars.ssl.keyAlias}</KeyAlias>
    </SSLInfo>

would work if you remove Path and LoadBalancer, and add target URL, like here

https://cloud.google.com/apigee/docs/api-platform/reference/api-proxy-configuration-reference#tlsssl....

Or you can configure your target servers like described here https://cloud.google.com/apigee/docs/api-platform/deploy/load-balancing-across-backend-servers#confi...

Feel free to ask any questions!

Hope that helps!

View solution in original post

ssvaidyanathan

@AndreCipriano - a few questions to clarify:

When you hardcode the alias/keystore info, they work as expected?
Can you not configure the alias/keystore info in the Target Server itself so that all the configurations like ClientAuth, Alias, etc is pulled directly from the Target server you configured. With that you dont even will need the AssignMessage policy

nmarkevich