Optional: Configuring MTLS security - PingIntelligence for APIs - 5.2

Optional: Configuring MTLS security - PingIntelligence for APIs - 5.2 - 5.1

PingIntelligence

bundle

pingintelligence-51

ft:publication_title

PingIntelligence

Product_Version_ce

PingIntelligence for APIs 5.1

category

APISecurity

AdvancedAPICybersecurity

Capability

Environment

Product

apisecurity

capability

linux

pi-51

pingintelligence

private

ContentType_ce

Add optional MTLS security for the sideband connection between ASE and the Apigee API gateway.

Note:

This feature requires ASE version 5.1.3 or later.

To configure MTLS security:

Copy the Apigee TLS certificates to the deployment tool client_certs folder:
1. Copy all Apigee TLS certificates to the /opt/pingidentity/apigee-policy/client_certs/client.pem file.
  
  Note:
  If a certificate is part of a chain, then you must copy all certificates in the chain to the /opt/pingidentity/apigee-policy/client_certs/client.pem file. The certificates must be in order, and the last certificate must be a root certificate or an intermediate certificate signed by a root certificate.
2. Copy the private key file (.key) to /opt/pingidentity/apigee-policy/client_certs/key.pem.
3. Create a myKeystore.p12 file under opt/pingidentity/apigee-policy/client_certs/ using the openssl utility:
```
openssl pkcs12 -export -out "myKeystore.p12" -inkey key.pem -in client.pem -name rootCert -passout "pass:ABC123" -passin "pass:ABC123"
```
Note:
- If the private key is encrypted or password protected, perform one of the following:
  - Add the private key password in the mtls_password= option in the apigee.properties file.
  - Remove the password requirement by using openssl utility:
    bash:$. cp private.key private.key.secure bash:$. openssl rsa -in server.key.secure -out server.key
- When creating the myKeystore.p12 file, another password can be specified. However, that password should be the same as the private key password configured in the mtls_password= option in the apigee.properties file.
Copy the Apigee root certificate authority (CA) certificate to /opt/pingidentity/ase/config/client_certs/client.pem in ASE.
1. Add the certificate to ASE:
```
bash $: cp Apigee_root_cert.pem /opt/pingidentity/ase/config/client_certs/client.pem
```
2. Restart ASE.
Note:
- /opt/pingidentity/apigee-policy/client_certs/client.pem contains the TLS certificate as a PEM file (either a certificate signed by a CA or a file containing a chain of certificates where the last certificate is signed by a CA).
- /opt/pingidentity/apigee-policy/client_certs/key.pem contains a private key as a PEM. Apigee Edge supports key sizes up to 2048 bits with an optional passphrase.
- PEM files comply with the X.509 format. If a certificate or private key is not defined by a PEM file, it can be converted to a PEM file by using utilities such as openssl. If the files are text files, they use one of the following formats:
  - -----BEGIN CERTIFICATE-----
    
    -----END CERTIFICATE-----
  - -----BEGIN ENCRYPTED PRIVATE KEY-----
    
    -----END ENCRYPTED PRIVATE KEY-----