This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

two-way TLS from within ServiceCallout

Posted on 01-26-2022 08:46 AM
devmego99
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

I need to enable two way authentication using ket strore and trust store between apigee and sso server please i want to know how to implement this @dchiesa1 on apigee TLS key store and in serviceCallOut policy (ssl info)

Solved Solved
1 1 103
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

You're saying "SSO Server" and also ServiceCallout. 

Usually these two things don't intersect, but maybe in your case they do?   

Typically I see an SSO server being integrated with the signon for the operators and administrators, into the admin UI.  A SAML IdP, and then  the Apigee UI acts as a SAML SP.  Whereas, ServiceCallout is something you would configure within your API Proxy, to call out to a remote system. ServiceCallout has nothing to do with signon of API admins/publishers/operators.

BUT, it's possible that you are using ServiceCallout to connect to an upstream target system that just happens to be an SSO server. In that case, excellent!  And ... The configuration should be pretty simple.  Just follow what you need to specify for SSLInfo for any other purpose. 

  • specify a TrustStore to tell Apigee how to verify the other peer's TLS certificate
  • load into the TrustStore the root CA that signed the peer's TLS cert
  • Specify a Keystore if you want 2-way TLS.  Load the key+cert that identifies Apigee to the other system, into that Keystore
  • Specify the converse stuff on the other peer (keystore and/or truststore), as appropriate 

But it sounds like you've read the documentation on SSLInfo.  What have you tried? Is it working?  What do you observe?

 

View solution in original post

Jump to Solution
1 REPLY 1

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

You're saying "SSO Server" and also ServiceCallout. 

Usually these two things don't intersect, but maybe in your case they do?   

Typically I see an SSO server being integrated with the signon for the operators and administrators, into the admin UI.  A SAML IdP, and then  the Apigee UI acts as a SAML SP.  Whereas, ServiceCallout is something you would configure within your API Proxy, to call out to a remote system. ServiceCallout has nothing to do with signon of API admins/publishers/operators.

BUT, it's possible that you are using ServiceCallout to connect to an upstream target system that just happens to be an SSO server. In that case, excellent!  And ... The configuration should be pretty simple.  Just follow what you need to specify for SSLInfo for any other purpose. 

  • specify a TrustStore to tell Apigee how to verify the other peer's TLS certificate
  • load into the TrustStore the root CA that signed the peer's TLS cert
  • Specify a Keystore if you want 2-way TLS.  Load the key+cert that identifies Apigee to the other system, into that Keystore
  • Specify the converse stuff on the other peer (keystore and/or truststore), as appropriate 

But it sounds like you've read the documentation on SSLInfo.  What have you tried? Is it working?  What do you observe?

 

Jump to Solution