This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

mTLS requirement

Posted on 09-09-2021 03:18 AM
sjm2000
Silver 1
Silver 1
Reply posted on --/--/---- --:-- AM

Dear Team,

We have a requirement of mTLS on APIGEE private cloud 4.50 .

  • Producer of the service is an external organization.
  • Consumer is APIGEE on-premise 4.50

The service is protected by mutual TLS for outbound connections to external organization. Below are the steps as i understand is required.

 

  1. APIGEE need to create a csr and send to an external organization  .
  2. The csr will be signed by external organization  .
  3. It needs to be installed on APIGEE . (for outbound connections to external organization).
  4. After signing by external organization the certificate to be updated in APIGEE

Do we have a step by step documentation as this must be a common scenario ?

Regards

SM

Solved Solved
0 6 1,143
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
mw970
Staff
Reply posted on --/--/---- --:-- AM

My understanding of your setup is as follows:

  • Client is Apigee Private Cloud 4.50.00
  • External service requires 2-way/mTLS connection
  • As such, Apigee Message processors will need to store client key and certificate in a keystore and send this to the target service which would need to verify same in order to establish a TLS connection

Can you confirm this is the desired configuration? If so, please elaborate on why a CSR process is needed - usually, the external provider at the target, would provide you with a client key and certificate to load into a keystore at Apigee for use in mTLS configuration.
If your team is maintaining the target service also and is wishing to generate a CSR and private key to provide to a signing authority in order to obtain this certificate, most signing authorities have tutorials and even wizards for this. You can use openssl, java keytool, etc. SSL Shopper has this handy guide for using OpenSSL to generate a CSR and private key.

View solution in original post

Jump to Solution
0 Likes
6 REPLIES 6

Posted on --/--/---- --:-- AM
mw970
Staff
Reply posted on --/--/---- --:-- AM

My understanding of your setup is as follows:

  • Client is Apigee Private Cloud 4.50.00
  • External service requires 2-way/mTLS connection
  • As such, Apigee Message processors will need to store client key and certificate in a keystore and send this to the target service which would need to verify same in order to establish a TLS connection

Can you confirm this is the desired configuration? If so, please elaborate on why a CSR process is needed - usually, the external provider at the target, would provide you with a client key and certificate to load into a keystore at Apigee for use in mTLS configuration.
If your team is maintaining the target service also and is wishing to generate a CSR and private key to provide to a signing authority in order to obtain this certificate, most signing authorities have tutorials and even wizards for this. You can use openssl, java keytool, etc. SSL Shopper has this handy guide for using OpenSSL to generate a CSR and private key.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
sjm2000
Silver 1
Silver 1
In response to mw970
Reply posted on --/--/---- --:-- AM

Here the client key Is generated at apigee end and provided to external provider at target to be signed by their own CA .

That's the reason . Hope it's clarified . 

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
mw970
Staff
In response to sjm2000
Reply posted on --/--/---- --:-- AM

Thanks for clarifying, the link from sslshopper with openssl steps to generate CSR and key would be a good starting point.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
API-Evangelist
Silver 5
Silver 5
Reply posted on --/--/---- --:-- AM

Work with your internal PKI group (public key infra) for  certificate provisioning  who can guide with the CSR process. Follow below to enable 2-way ssl from apigee to backend service.

https://docs.apigee.com/api-platform/system-administration/configuring-ssl-edge-backend-service

 

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
sjm2000
Silver 1
Silver 1
In response to API-Evangelist
Reply posted on --/--/---- --:-- AM

I was expecting this to be performed via user interface provided  for on premise customers  for key store .

Menu-- admin -- TLS certificates

Any comments / suggestions ?

 

 

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
API-Evangelist
Silver 5
Silver 5
In response to sjm2000
Reply posted on --/--/---- --:-- AM

Not sure what's the thought process in general(if you comparing some other products :))  you need to procure certs  (by internal /external) then you can just follow the instructions from the docs to to upload the certs and setup mutual tls.

 

Just FYI: Good read https://docs.apigee.com/api-platform/system-administration/about-ssl

 

Jump to Solution
0 Likes