PingIntelligence

Optional: Configuring MTLS security

Add optional MTLS security for the sideband connection between ASE and the Apigee API gateway.

About this task

This feature requires ASE version 5.1.3 or later.

To configure MTLS security:

Steps

  1. Copy the Apigee TLS certificates to the deployment tool client_certs folder:

    1. Copy all Apigee TLS certificates to the /opt/pingidentity/apigee-policy/client_certs/client.pem file.

      If a certificate is part of a chain, then you must copy all certificates in the chain to the /opt/pingidentity/apigee-policy/client_certs/client.pem file. The certificates must be in order, and the last certificate must be a root certificate or an intermediate certificate signed by a root certificate.

    2. Copy the private key file (.key) to /opt/pingidentity/apigee-policy/client_certs/key.pem.

    3. Create a myKeystore.p12 file under opt/pingidentity/apigee-policy/client_certs/ using the openssl utility:

      openssl pkcs12 -export -out "myKeystore.p12" -inkey key.pem -in client.pem -name rootCert -passout "pass:ABC123" -passin "pass:ABC123"
      • If the private key is encrypted or password protected, perform one of the following:

        • Add the private key password in the mtls_password= option in the apigee.properties file.

        • Remove the password requirement by using openssl utility:

          bash:$. cp private.key private.key.secure bash:$. openssl rsa -in server.key.secure -out server.key
      • When creating the myKeystore.p12 file, another password can be specified. However, that password should be the same as the private key password configured in the mtls_password= option in the apigee.properties file.

  2. Copy the Apigee root certificate authority (CA) certificate to /opt/pingidentity/ase/config/client_certs/client.pem in ASE.

    1. Add the certificate to ASE:

      bash $: cp Apigee_root_cert.pem /opt/pingidentity/ase/config/client_certs/client.pem
    2. Restart ASE.

      • /opt/pingidentity/apigee-policy/client_certs/client.pem contains the TLS certificate as a PEM file (either a certificate signed by a CA or a file containing a chain of certificates where the last certificate is signed by a CA).

      • /opt/pingidentity/apigee-policy/client_certs/key.pem contains a private key as a PEM. Apigee Edge supports key sizes up to 2048 bits with an optional passphrase.

      • PEM files comply with the X.509 format. If a certificate or private key is not defined by a PEM file, it can be converted to a PEM file by using utilities such as openssl. If the files are text files, they use one of the following formats:

        -----BEGIN CERTIFICATE-----
        -----END CERTIFICATE-----
        -----BEGIN ENCRYPTED PRIVATE KEY-----
        -----END ENCRYPTED PRIVATE KEY-----