--- title: "Optional: Configuring MTLS security" description: Add optional MTLS security for the sideband connection between ASE and the Apigee API gateway. component: pingintelligence version: 5.2 page_id: pingintelligence:pingintelligence_integrations:pingintelligence_apigee_configuring_optional_mtls_security canonical_url: https://docs.pingidentity.com/pingintelligence/5.2/pingintelligence_integrations/pingintelligence_apigee_configuring_optional_mtls_security.html revdate: April 3, 2024 section_ids: about-this-task: About this task steps: Steps --- # Optional: Configuring MTLS security Add optional MTLS security for the sideband connection between ASE and the Apigee API gateway. ## About this task | | | | - | ------------------------------------------------- | | | This feature requires ASE version 5.1.3 or later. | To configure MTLS security: ## Steps 1. Copy the Apigee TLS certificates to the deployment tool `client_certs` folder: 1. Copy all Apigee TLS certificates to the `/opt/pingidentity/apigee-policy/client_certs/client.pem` file. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If a certificate is part of a chain, then you must copy all certificates in the chain to the `/opt/pingidentity/apigee-policy/client_certs/client.pem` file. The certificates must be in order, and the last certificate must be a root certificate or an intermediate certificate signed by a root certificate. | 2. Copy the private key file (`.key`) to `/opt/pingidentity/apigee-policy/client_certs/key.pem`. 3. Create a `myKeystore.p12` file under `opt/pingidentity/apigee-policy/client_certs/` using the `openssl` utility: ``` openssl pkcs12 -export -out "myKeystore.p12" -inkey key.pem -in client.pem -name rootCert -passout "pass:ABC123" -passin "pass:ABC123" ``` | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | * If the private key is encrypted or password protected, perform one of the following: * Add the private key password in the `mtls_password=` option in the `apigee.properties` file. * Remove the password requirement by using `openssl` utility: ``` bash:$. cp private.key private.key.secure bash:$. openssl rsa -in server.key.secure -out server.key ``` * When creating the `myKeystore.p12` file, another password can be specified. However, that password should be the same as the private key password configured in the `mtls_password=` option in the `apigee.properties` file. | 2. Copy the Apigee root certificate authority (CA) certificate to `/opt/pingidentity/ase/config/client_certs/client.pem` in ASE. 1. Add the certificate to ASE: ``` bash $: cp Apigee_root_cert.pem /opt/pingidentity/ase/config/client_certs/client.pem ``` 2. Restart ASE. | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | * `/opt/pingidentity/apigee-policy/client_certs/client.pem` contains the TLS certificate as a PEM file (either a certificate signed by a CA or a file containing a chain of certificates where the last certificate is signed by a CA). * `/opt/pingidentity/apigee-policy/client_certs/key.pem` contains a private key as a PEM. Apigee Edge supports key sizes up to 2048 bits with an optional passphrase. * PEM files comply with the X.509 format. If a certificate or private key is not defined by a PEM file, it can be converted to a PEM file by using utilities such as `openssl`. If the files are text files, they use one of the following formats: ``` -----BEGIN CERTIFICATE----- ``` ``` -----END CERTIFICATE----- ``` ``` -----BEGIN ENCRYPTED PRIVATE KEY----- ``` ``` -----END ENCRYPTED PRIVATE KEY----- ``` |