Two virtual host in same org and environment and one for two way tls and one for one way ssl

Google Cloud Apigee
1

Hello,

I am wondering if its possible to have two virtual host in same org+env with same alias and port for below use case.

I would like to set one proxy for two way TLS and second proxy for one way SSL in same alias and port.

I have read following post by @Dino

https://community.apigee.com/questions/36406/2-way-tls-between-tls-client-and-edge.html

but it did not work for me as expected.

I tried following to create two virtual host:

first one "secure":
	{
	  "name":"secure",
	  "hostAliases": ["myorg-main.apigee.net"],
	  "port": "443",
	  "sSLInfo": {
	    "clientAuthEnabled": "false",
	    "enabled": "true",
	    "ignoreValidationErrors": false,
	    "keyAlias": "freetrial",
	    "keyStore": "freetrial",
	    "protocols": []
	    }
	}
Second one "twoWayTLS":
{
  "name":"twoWayTLS",
  "hostAliases": ["myorg-main.apigee.net"],
  "port": "443",
  "sSLInfo": {
    "clientAuthEnabled": "true",
    "enabled": "true",
   "ignoreValidationErrors": false,
   "keyAlias": "freetrial",
   "keyStore": "freetrial",
   "trustStore": "ref://rootTrustStore",
    "protocols": []
    }
}

I have created trust store uploaded root certificate in trust Store, created references, and created two proxies.

  1. proxy1 with basepath “/oneway” with vhost “secure”

  2. proxy2 with basepath “/twoway” with vhost “twoWayTLS”

My expectations:

  1. client calling without certificate to proxy1 should go through.

i.e. https://myorg-main.apigee.net/oneway

  1. client calling with valid certificate to proxy2 should go through

i.e. https://myorg-main.apigee.net/twoway

  1. client calling without certificate/invalid certificate to proxy2 should fail.

i.e. https://myorg-main.apigee.net/twoway

But all the calls to both proxies are passing.

If I remove vhost “secure” and make api call to proxy2 without certificate/invalid certificate its failing. And with valid certificate its passing. So I know that proxy2 is working as expected by having only one virtual host.i.e. “twoWayTLS”

Am I missing something ?

Thanks,

2

Hi @Nitesh

As far as I know, if using the same port, a host alias needs to be unique for each VH. So what you are seeing seems correct as Edge is only honoring one of those virtual hosts at a time. That’s why when you had both, everything was passing with (AND WITHOUT) a cert but when you deleted the VH (that didn’t require a client cert), all calls then required the client cert.

Therefore, you cannot have two virtual hosts with the same port AND host alias. You can use the same port but the alias’ must be different. So, what you want to do is create a different alias for clients to connect via 2-Way-tls and another for them to connect without.

Then, in each proxy you will select the virtual host(s) you want to be available to.

Perhaps someone here can think of another way around it? Also, Dino’s use case was different. In his use case, unless I misunderstood it, the clients were ALWAYS sending a client certificate.

2 Likes
3

Correct!

I don’t know how the OP has the same alias “myorg-main.apigee.net” for 2 distinct secure vhosts. That should be invalid.

When you try setting that up, you should get an error from the admin API. “Alias already in use” or something like that. It’s clear.

4

@Robert Johnson Thanks for clarification.Will try by creating virtual host with different alias.

5

@Dino-at-Google With management api, it does allow to create 2 distinct secure vhosts with same alias.