Can I set my SSL settings dynamically?

Google Cloud Apigee
1

I can set my backend endpoint dynamically within my API Proxy logic by setting variables such as target.url. This is great. But what if my dynamic endpoint change requires me to change my SSL settings as well? Specifically, I need to switch to mutual auth for certain endpoints, and thus need to change the SSLInfo settings (Keystore, Trustore, KeyAlias, ClientAuthEnabled). Is this possible?

1 Like
2

Dear @WILLIT51,

You can set the SSL settings dynamically through variables with the help of a new feature introduced in the latest version of Edge for Cloud. Refer to more details about this in the section “SSLInfo variables in TargetEndpoint configurations” in the Releases Notes

Regards,

Amar

3 Likes
3

The docs will also be updated with the new info this week.

4

Wow! Was that question well timed or what? :wink:

5

I might be missing something, but it isn’t working for me. (Yes, I am using Edge for Cloud).

I have my Target Endpoint defined as follows:

  <HTTPTargetConnection>
    <URL>https://default.com</URL>
    <SSLInfo>
      <Enabled>{myvars.ssl.enabled}</Enabled>
      <ClientAuthEnabled>{myvars.ssl.client.auth.enabled}</ClientAuthEnabled>
      <KeyStore>{myvars.ssl.keystore}</KeyStore>
      <KeyAlias>{myvars.ssl.keyAlias}</KeyAlias>
      <TrustStore>{myvars.ssl.trustStore}</TrustStore>
    </SSLInfo>
  </HTTPTargetConnection>

…and I have an AssignMessage policy that sets these variables, along with the target url:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AssignMessage async="false" continueOnError="false" enabled="true" name="Set-Target">
  ...

  <AssignVariable>
  <Name>target.url</Name>
  <Value>https://apigwrouter.acme.com/apigwRouter</Value>
  </AssignVariable>

  <AssignVariable>
  <Name>myvars.ssl.enabled</Name>
  <Value>true</Value>
  </AssignVariable>

  <AssignVariable>
  <Name>myvars.ssl.client.auth.enabled</Name>
  <Value>true</Value>
  </AssignVariable>

  <AssignVariable>
  <Name>myvars.ssl.keystore</Name>
  <Value>keystore-apigwrouter</Value>
  </AssignVariable>

  <AssignVariable>
  <Name>myvars.ssl.keyAlias</Name>
  <Value>apigwrouter</Value>
  </AssignVariable>

  <AssignVariable>
  <Name>myvars.ssl.trustStore</Name>
  <Value>truststore-apigwrouter</Value>
  </AssignVariable>

  <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
  <AssignTo createNew="false" transport="http" type="request"/>
</AssignMessage>

…but I can’t even deploy it. I get this error:

Error in deployment for environment dev. The revision is deployed, but traffic cannot flow. Security store {myvars.ssl.trustStore} is not configured in environment dev

When I define these items statically, everything works, so the problem isn’t my keystores.

What am I missing?

6

I think something is wrong with the setting. If I remove this line from SSLInfo, it at least deploys. Could you double-check that variable name – {myvars.ssl.trustStore}?

7

Dear @WILLIT51,

We will look into this issue and get back to you.

Thanks,

Amar

8

Dear @WILLIT51,

I tried in my Cloud org with your code as is and I was able to deploy the API Proxy without any issues. Can you please provide the org name, API bundle name where you are seeing this issue ? This will help me to investigate the problem that you are seeing.

Regards,

Amar

9

@Amar, take a look at proxy ‘IAM_2’ within org ‘nwie’. ‘IAM_1’ and ‘IAM_2’ are functionally equivalent, however ‘IAM_2’ tries to set the SSLInfo variables dynamically.

10

Dear @WILLIT51,

I checked your proxy and everything seemed to be fine. Infact I tried this in my org and the deployment worked fine. Later I checked and found that the new release is not completely deployed in all the regions. My org has already got the new code and hence it is working fine. For your org, I have checked with our release team and understand that the new release will be made available by the end of this week. So you can try this early next week.

I will update you as soon as the new release is made available for your org.

Thanks,

Amar

11

Dear @WILLIT51,

The new release has been deployed now for your org. I checked in your org and confirmed that your proxy ‘IAM_2’ was successfully deployed in test environment. Infact, I undeployed and deployed the proxy again to re-confirm. It got deployed successfully again without any errors. Please verify at your end and let me know if everything’s fine.

Thanks,

Amar

1 Like
12

This does appear to be working now. Thanks, Amar!

13

This does seem to work now. Thanks!

I have a follow up question. What if my initial Target Endpoint uses HTTP, but the dynamic Target Endpoint (determined later) needs HTTPS?

I’m finding that if I start with an HTTP endpoint as my default Target Endpoint and set the SSLInfo.Enabled to {myvars.ssl.enabled}, then later change {target.url} to a HTTPS endpoint and set {myvars.ssl.enabled} to true, it doesn’t work. However it does work if I start with an HTTPS endpoint as my default Target Endpoint. It seems that it can handle dynamically changing SSL setting changes, but not switching from HTTP to HTTPS.

14

Dear @WILLIT51,

I will check on this and get back to you. But for better question/answer management, can you please post this in a separate community thread/question ?

Thanks

Amar