Add optional MTLS security for the sideband connection between ASE and the Apigee API gateway.
Note:
This feature requires ASE version 5.1.3 or later.
To configure MTLS security:
-
Copy the Apigee TLS certificates to the deployment tool
client_certs folder:
-
Copy all Apigee TLS certificates to the
/opt/pingidentity/apigee-policy/client_certs/client.pem
file.
Note:
If a certificate is part of a chain, then you must copy all certificates in the chain to the /opt/pingidentity/apigee-policy/client_certs/client.pem file. The certificates must be in order, and the last certificate must be a root certificate or an intermediate certificate signed by a root certificate.
- Copy the private key file (.key) to /opt/pingidentity/apigee-policy/client_certs/key.pem.
-
Create a myKeystore.p12 file under
opt/pingidentity/apigee-policy/client_certs/
using the
openssl
utility:openssl pkcs12 -export -out "myKeystore.p12" -inkey key.pem -in client.pem -name rootCert -passout "pass:ABC123" -passin "pass:ABC123"
Note:- If the private key is encrypted or password protected, perform one
of the following:
- Add the private key password in the mtls_password= option in the apigee.properties file.
- Remove the password requirement by using
openssl
utility:bash:$. cp private.key private.key.secure bash:$. openssl rsa -in server.key.secure -out server.key
- When creating the myKeystore.p12 file, another password can be specified. However, that password should be the same as the private key password configured in the mtls_password= option in the apigee.properties file.
-
Copy all Apigee TLS certificates to the
/opt/pingidentity/apigee-policy/client_certs/client.pem
file.
-
Copy the Apigee root certificate authority (CA) certificate to
/opt/pingidentity/ase/config/client_certs/client.pem in
ASE.
-
Add the certificate to ASE:
bash $: cp Apigee_root_cert.pem /opt/pingidentity/ase/config/client_certs/client.pem
- Restart ASE.
Note:- /opt/pingidentity/apigee-policy/client_certs/client.pem contains the TLS certificate as a PEM file (either a certificate signed by a CA or a file containing a chain of certificates where the last certificate is signed by a CA).
- /opt/pingidentity/apigee-policy/client_certs/key.pem contains a private key as a PEM. Apigee Edge supports key sizes up to 2048 bits with an optional passphrase.
- PEM files comply with the X.509 format. If a certificate or private
key is not defined by a PEM file, it can be converted to a PEM file
by using utilities such as
openssl
. If the files are text files, they use one of the following formats:-
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-
-----BEGIN ENCRYPTED PRIVATE KEY-----
-----END ENCRYPTED PRIVATE KEY-----
-
-
Add the certificate to ASE: