Skip to content

Mutual TLS client-side configuration

AWS

Application Load/Network Load Balancer

Mutual TLS with HTTP Proxy API (API Gateway)

  1. From the API Gateway, create a new VPC Link for HTTP APIs. Choose the subnets in both AZs (the same subnets that are used in ALB ). Add a security group to access traffic from API Gateway. Alter the ALB SG to accept traffic only from the VPC Link SG.

  2. Create a new HTTP API

    1. Do not add integration(Private integration can be added only after API creation).
    2. Do not add routes(Routes cannot be set without integration).
    3. Add a new stage to deploy your API.
    4. Create API.
  3. Create Routes - Select Method and route for your API.

  4. Select Integrations on the left and select create and attach an integration.

  5. Select private resource as Integration type.

  6. Choose your ALB/NLB and also the VPC link that was created at the start. Refer this link for help on AWS API Gateway private integration with HTTP API and a VPC Link.

HTTP APIs are designed for low-latency, cost-effective integrations with AWS services. 7. Create a Custom domain in API gateway and attach certificate to this domain and map the HTTP api and turn on mutual tls.

Turning on Mutual authentication is simple, enable this option while creating the custom domain and point to truststore which holds APICloud certificates in PEM format.

8. Attach the certificate for custom domain created in API gateway.

9. Upload certificates to be trusted by apigateway in s3 and mention the path in the created custom domain. 10. Create a route 53 record for the custom domain that was created pointing to api gateway. 11. Use this domain as the target backend in api proxy in API Cloud v2. 12. Use self-serviceable APIs to share your certificates in PEM format used by custom domain to add to truststore in apicloud V2 end.

Classic Load Balancers

Nginx Mutual TLS

This is to be used when Nginx is behind an AWS Classic loadbalancer. Nginx mutual config to be added as below to the *.conf file.

listen 443 ssl;
ssl on;
ssl_certificate      <PATH_TO_CERT_KEYSTORE>/<CERT_NAME_KEYSTORE>;
ssl_certificate_key  <PATH_TO_KEY_KEYSTORE>/<KEY_NAME_KEYSTORE>;
ssl_session_timeout  5m;
ssl_verify_depth 10;
ssl_protocols  SSLv2 SSLv3 TLSv1;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers  HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers   on;
ssl_client_certificate <PATH_TO_CERTBUNDLE_TRUSTSTORE>/<CERTBUNDLE_NAME_TRUSTSTORE>;
ssl_verify_client      optional;
  • PATH_TO_CERT_KEYSTORE - Path to the keystore certificate of the domain used.
  • CERT_NAME_KEYSTORE - Name of the certificate of the domain used.
  • KEY_NAME_KEYSTORE - Private key of the certificate of the domain used.
  • PATH_TO_CERTBUNDLE_TRUSTSTORE - Path to the truststore certificate/ certificate bundle of apigee’s domain.
  • CERTBUNDLE_NAME_TRUSTSTORE - Certificate/certificate bundle of apigee’s domain.

Use API Cloud self-serviceable APIs to upload certificates to Apigee.

Spring Boot Server Mutual TLS

Infrastructure Side

Follow these guidelines for a spring boot server which is behind an AWS Classic Load balancer:

  • Spring boot server must be behind a Classic load balancer which has a listening port set to 443 TCP and routes traffic to port 443 TCP.
  • Security group to whitelist exit IPs of apigee.

Application Code

Spring boot server keystore has a certificate and key (the same certificate is added to Truststore in Apigee).

openssl pkcs12 -export -in <SPRING_BOOT_APP_CERT> -inkey <SPRING_BOOT_APP_PRIVATE_KEY> -out apigee-keystore.p12
keytool -importkeystore -srckeystore apigee-keystore.p12 -srcstoretype PKCS12 -destkeystore <KEYSTORE_NAME>.jks -deststoretype JKS
  • SPRING_BOOT_APP_CERT - certificate for the target backend server domain.
  • SPRING_BOOT_APP_PRIVATE_KEY - private key for the domain certificate.
  • KEYSTORE_NAME - holds the keystore name containing cert and private key of the backend server domain.

Spring boot server truststore has a certificate bundle added, which has a domain, intermediate and root certificate of virtual host/domain in Apigee.

keytool -import -file ca.crt -alias apigeeCA  -storetype pkcs12 -keystore apigee-truststore.jks (keystore password apigee)
keytool -import -file ca1.crt -alias apigeeCA1  -storetype pkcs12 -keystore apigee-truststore.jks
keytool -import -file ca2.crt -alias apigeeCA2  -storetype pkcs12 -keystore apigee-truststore.jks
keytool -import -file ca3.crt -alias apigeeCA3  -storetype pkcs12 -keystore apigee-truststore.jks
  • Add the following in the spring application properties file:
server:
  port: 443
  ssl:
    key-store: classpath:<KEYSTORE_NAME>.jks
    key-store-password: <PASSWORD>
    trust-store: classpath:<TRUSTSTORE_NAME>.jks
    trust-store-password: <PASSWORD>
    client-auth: need

Add Spring security configuration to override one of the provided config methods:

@SpringBootApplication
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class X509AuthenticationServer extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().anyRequest().authenticated()
          .and()
          .x509();
    }
}

Use API Cloud self-serviceable APIs to upload certificates to Apigee.

Azure API Management

  • Create a “Blank api” in API Management and have the backend pointing to your application gateway .
  • Application gateway to be in public subnet.
  • Go to custom domain in API management and click your Gateway and enable Negotiate client certificate. Once this option is enabled, you can validate the certificate of the caller(ApicloudV2 in this case).

To validate the certificate, a policy has to be created to validate the thumbprint of APICloud V2 certificate. Below is the policy to validate certificates:

 <choose>
    <when condition="@(context.Request.Certificate == null || !context.Request.Certificate.Verify() || context.Request.     Certificate.Thumbprint != "<DESIRED-THUMBPRINT-IN-UPPER-CASE>")" >
       <return-response>
             <set-status code="403" reason="Invalid client certificate" />
       </return-response>
    </when>
 </choose>
  • DESIRED-THUMBPRINT-IN-UPPER-CASE - Enter the thumbprint/fingerprint(SHA-1 fingerprint) of APICloudV2’s certificate with no space.
  • Another option is to upload apicloud v2 certificate and private key bundled together in pfx format.

Steps to upload apicloud v2 certificate and private key are as follows:

  1. Under Security, select Certificates.
  2. Select Certificates > + Add.
  3. In Id, enter a name of your choice.
  4. Select your certificate from Keyvault/from your machine.
  5. Click Save.

To validate the certificate that is uploaded to api management, use below policy

   <choose>
      <when condition="@(context.Request.Certificate == null || !context.Request.Certificate.Verify()  || !context.Deployment.Certificates.Any(c => c.Value.Thumbprint == context.Request.Certificate.Thumbprint))" >
         <return-response>
               <set-status code="403" reason="Invalid client certificate" />
         </return-response>
      </when>
   </choose>

For more information, see Azure Documentation.

Steps to Download APICloud Certificate

To download the certificates:

To download the current certificate using the Command-line interface (CLI):

openssl s_client -showcerts -verify 5 -servername <END_POINT_HOST_DNS> -connect <END_POINT_HOST_DNS>:443  </dev/null 2>/dev/null |sed -n '/^-----BEGIN CERT/,/^-----END CERT/p'> <CERT_NAME>.pem

To download the root certificate from the browser:

  1. Navigate to the cloud endpoint API in your browser.

  2. Click the Lock icon that appears in the URL and then select Certificate.

  3. In the details tab you will find all the certificates. Export the root certificate.