Mutual TLS with ServiceCallout and TargetServer

Google Cloud Apigee
1

Hi Guys,

I have to ask since it feels weird for me. On Target Servers there is the Option "Enable Two-way TLS (Client Authorization). So from my point of view this should be enough to setup a Mutual TLS connection to the destination.

But the following code within my TargetEndpoint isn’t working:

    <HTTPTargetConnection>
        <Properties>
            <Property name="request.retain.headers">Host</Property>
            <Property name="request.retain.headers.enabled">true</Property>
        </Properties>
        <LoadBalancer>
            <Server name="my_server_v1"/>
        </LoadBalancer>
        <Path>/some_path</Path>
    </HTTPTargetConnection>

But when I provide the SSL info its working:

    <HTTPTargetConnection>
        <Properties>
            <Property name="request.retain.headers">Host</Property>
            <Property name="request.retain.headers.enabled">true</Property>
        </Properties>
        <SSLInfo>
            <Enabled>true</Enabled>
            <ClientAuthEnabled>true</ClientAuthEnabled>
            <KeyStore>ref://on-prem.myrz</KeyStore>
            <KeyAlias>myapi-apigee-edge.myrz</KeyAlias>
        </SSLInfo>
        <LoadBalancer>
            <Server name="my_server_v1"/>
        </LoadBalancer>
        <Path>/some_path</Path>
    </HTTPTargetConnection>

Shouldn’t that be handled transparently since I’ve enabled Mutual TLS already on the TargetServer "my_server_v1 Level? Feels for me duplicated and therefore I think I did something wrong.

Help appreciated guys … goal is that I just set with my scripts the Mutual TLS on the TargetServer level which helps me to parametrise some shared flows and therefore I can reuse them.

2

can you share the target server configuration what you are doing?

3

Here is the TargetServer configuration and what I do is to setup there the Two-way TLS (Mutual TLS). So I thought we don’t need this within the SSLInfo which feels duplicate … is there a way to tell: “use the settings of the TargetServer”?

10774-cleanshot-2021-02-05-at-170733.png
10774-cleanshot-2021-02-05-at-170733.png432×758 26.8 KB

4

You have enabled Two way TLS and didn’t configure the truststore. It is a required one. May be because of that you are facing issue.

1 Like
5

But neither I do at:

 <SSLInfo>
            <Enabled>true</Enabled>
            <ClientAuthEnabled>true</ClientAuthEnabled>
            <KeyStore>ref://on-prem.myrz</KeyStore>
            <KeyAlias>myapi-apigee-edge.myrz</KeyAlias>
        </SSLInfo>

So there is also no Trust Store configured.

6

Yes, I understand that you are not configuring in proxy, but if a default one is there, may be that is going like that.

But according to concept, in mtls truststore is required.

I would suggest to try with truststore.

I still doubt it’s mutual TLS. Can you try a curl request from the message processor to the backend and see what you are getting.

1 Like
7

The concept of Mutual TLS requires only a trust store if the Certificate is not singed by an official CA. In that case its signed by an official CA, so there is no need for it.

Thanks for the tip with curl => I gonna test that.