Hello All,

In DP, we can add TLS server profiles under the FSH of MPGW for SSL mutual authentication when receive a call.  Now we have no MPGW in DP. Calls will directly come to APIC. When I directly expose the APIC endpoint to the consumer, when he makes a call, it should be under mutual authentication.  SSL authentication in between the consumer and APIC endpoint (front end) Can we do the same in APIC without relying on DP?

Can I do like below:

------------------------------
Krishna
------------------------------

Hi Krishna,

it all depends of what you exactly understand under mTLS.

Have a look at https://www.ibm.com/docs/en/api-connect/10.0.5.x_lts?topic=definition-configuring-application-authentication-api, think this explains what you need.

------------------------------
Jeroen Willems
Integration Architect - Managing Partner
Integration Designers
------------------------------

Original Message:
Sent: Thu October 05, 2023 09:36 AM
From: Krishna
Subject: Mutual SSL Authentication in APIC

Hello All,

In DP, we can add TLS server profiles under the FSH of MPGW for SSL mutual authentication when receive a call.  Now we have no MPGW in DP. Calls will directly come to APIC. When I directly expose the APIC endpoint to the consumer, when he makes a call, it should be under mutual authentication.  SSL authentication in between the consumer and APIC endpoint (front end) Can we do the same in APIC without relying on DP?

Can I do like below:

Cloud manager - resources.

Create a Trust store ( external consumer cert)

Create a Key store (it will have our public key and private key)

In the same resources now we have to create TLS server profile, There we can add a trust store and key store. 

 

Now go to any one environment gateway, edit then under tls server profile we can add the already created tls server profile.

Is it all we need to do to establish mutual ssl in between the external consumer and APIC?

 

Please assit me on this.

------------------------------
Krishna
------------------------------

Hello Jeroen Willems,

In Datapower, in HTTPS FSH, we can configure the TLS server profile. Inside, under validate credentials, we can add an external consumer certificate to validate them to establish mutual SSL authentication.

Consider that there is no DataPower MPGW HTTPS FSH in DP. We are exposing direct API endpoints to external consumers. Consumers will directly call the APIC endpoint. How can we achieve that mutual SSL in APIC?

I thought the below would fulfill my requirements. If not, What happens if I add a TLS Server profile to any Gateway in Cloud Manager by configuring the Trust store with an External consumer certificate and the key store with an APIC server certificate? 

https://www.ibm.com/docs/en/api-connect/10.0.5.x_lts?topic=overview-creating-tls-server-profile

This one is clearly proving how to apply mutual SSL to an API. https://www.ibm.com/docs/en/api-connect/10.0.5.x_lts?topic=definition-configuring-application-authentication-api

Still, I am not sure about the difference between both of them.

What needs to be done to implement SSL mutual authentication between External Clients and APIC?  Or else following the below is enough to achieve mutual ssl between the client and APIC, External CLient certificate doesn't need to be added to Cloud Manager Topology using TLS Server Profile.

https://www.ibm.com/docs/en/api-connect/10.0.5.x_lts?topic=definition-configuring-application-authentication-api

 

Please assist me with your Inputs.

------------------------------
Krishna
------------------------------

Original Message:
Sent: Thu October 05, 2023 05:13 PM
From: Jeroen Willems
Subject: Mutual SSL Authentication in APIC

Hi Krishna,

it all depends of what you exactly understand under mTLS.

Have a look at https://www.ibm.com/docs/en/api-connect/10.0.5.x_lts?topic=definition-configuring-application-authentication-api, think this explains what you need.

------------------------------
Jeroen Willems
Integration Architect - Managing Partner
Integration Designers

Original Message:
Sent: Thu October 05, 2023 09:36 AM
From: Krishna
Subject: Mutual SSL Authentication in APIC

Hello All,

In DP, we can add TLS server profiles under the FSH of MPGW for SSL mutual authentication when receive a call.  Now we have no MPGW in DP. Calls will directly come to APIC. When I directly expose the APIC endpoint to the consumer, when he makes a call, it should be under mutual authentication.  SSL authentication in between the consumer and APIC endpoint (front end) Can we do the same in APIC without relying on DP?

Can I do like below:

Cloud manager - resources.

Create a Trust store ( external consumer cert)

Create a Key store (it will have our public key and private key)

In the same resources now we have to create TLS server profile, There we can add a trust store and key store. 

 

Now go to any one environment gateway, edit then under tls server profile we can add the already created tls server profile.

Is it all we need to do to establish mutual ssl in between the external consumer and APIC?

 

Please assit me on this.

------------------------------
Krishna
------------------------------