mTLS requirement

sjm2000 · September 9, 2021, 10:18am

Dear Team,

We have a requirement of mTLS on APIGEE private cloud 4.50 .

Producer of the service is an external organization.
Consumer is APIGEE on-premise 4.50

The service is protected by mutual TLS for outbound connections to external organization. Below are the steps as i understand is required.

APIGEE need to create a csr and send to an external organization .
The csr will be signed by external organization .
It needs to be installed on APIGEE . (for outbound connections to external organization).
After signing by external organization the certificate to be updated in APIGEE

Do we have a step by step documentation as this must be a common scenario ?

Regards

SM

mw970 · September 9, 2021, 3:30pm

My understanding of your setup is as follows:

Client is Apigee Private Cloud 4.50.00
External service requires 2-way/mTLS connection
As such, Apigee Message processors will need to store client key and certificate in a keystore and send this to the target service which would need to verify same in order to establish a TLS connection

Can you confirm this is the desired configuration? If so, please elaborate on why a CSR process is needed - usually, the external provider at the target, would provide you with a client key and certificate to load into a keystore at Apigee for use in mTLS configuration.
If your team is maintaining the target service also and is wishing to generate a CSR and private key to provide to a signing authority in order to obtain this certificate, most signing authorities have tutorials and even wizards for this. You can use openssl, java keytool, etc. SSL Shopper has this handy guide for using OpenSSL to generate a CSR and private key.

sjm2000 · September 9, 2021, 3:52pm

Here the client key Is generated at apigee end and provided to external provider at target to be signed by their own CA .

That’s the reason . Hope it’s clarified .

mw970 · September 9, 2021, 3:57pm

Thanks for clarifying, the link from sslshopper with openssl steps to generate CSR and key would be a good starting point.

API-Evangelist · September 11, 2021, 3:50am

Work with your internal PKI group (public key infra) for certificate provisioning who can guide with the CSR process. Follow below to enable 2-way ssl from apigee to backend service.

https://docs.apigee.com/api-platform/system-administration/configuring-ssl-edge-backend-service

sjm2000 · September 11, 2021, 1:37pm

I was expecting this to be performed via user interface provided for on premise customers for key store .

Menu-- admin – TLS certificates

Any comments / suggestions ?

API-Evangelist · September 12, 2021, 8:08pm

Not sure what’s the thought process in general(if you comparing some other products :)) you need to procure certs (by internal /external) then you can just follow the instructions from the docs to to upload the certs and setup mutual tls.

Just FYI: Good read https://docs.apigee.com/api-platform/system-administration/about-ssl

Topic		Replies	Views
MTLS (2 way TLS) from Apigee to our enterprise system-SSL Termination Load Balancer Apigee apigee-general	3	8	October 18, 2018
Configure two way SSL on Apigee Edge Apigee api-runtime	5	13	May 9, 2016
Mutual TLS between client to edge and edge to backend Apigee api-runtime	8	18	December 7, 2018

mTLS requirement

AI Suggested topics