This feature requires ASE version 5.1.3 or later.

To configure MTLS security:

  1. Copy the Apigee TLS certificates to the deployment tool client_certs folder:
    1. Copy all Apigee TLS certificates to the /opt/pingidentity/apigee-policy/client_certs/client.pem file.

      If a certificate is part of a chain, then you must copy all certificates in the chain to the /opt/pingidentity/apigee-policy/client_certs/client.pem file. The certificates must be in order, and the last certificate must be a root certificate or an intermediate certificate signed by a root certificate.

    2. Copy the private key file (.key) to /opt/pingidentity/apigee-policy/client_certs/key.pem.
    3. Create a myKeystore.p12 file under opt/pingidentity/apigee-policy/client_certs/ using the openssl utility:
      openssl pkcs12 -export -out "myKeystore.p12" -inkey key.pem -in client.pem -name rootCert -passout "pass:ABC123" -passin "pass:ABC123"
    • If the private key is encrypted or password protected, perform one of the following:
      • Add the private key password in the mtls_password= option in the file.
      • Remove the password requirement by using openssl utility:
        bash:$. cp private.key bash:$. openssl rsa -in -out server.key
    • When creating the myKeystore.p12 file, another password can be specified. However, that password should be the same as the private key password configured in the mtls_password= option in the file.
  2. Copy the Apigee root certificate authority (CA) certificate to /opt/pingidentity/ase/config/client_certs/client.pem in ASE.
    1. Add the certificate to ASE:
      bash $: cp Apigee_root_cert.pem /opt/pingidentity/ase/config/client_certs/client.pem
    2. Restart ASE.
    • /opt/pingidentity/apigee-policy/client_certs/client.pem contains the TLS certificate as a PEM file (either a certificate signed by a CA or a file containing a chain of certificates where the last certificate is signed by a CA).
    • /opt/pingidentity/apigee-policy/client_certs/key.pem contains a private key as a PEM. Apigee Edge supports key sizes up to 2048 bits with an optional passphrase.
    • PEM files comply with the X.509 format. If a certificate or private key is not defined by a PEM file, it can be converted to a PEM file by using utilities such as openssl. If the files are text files, they use one of the following formats:
      • -----BEGIN CERTIFICATE-----
        -----END CERTIFICATE-----