—Rate this article—
 

Configuring SSL from Edge to the backend service

An API proxy functions as a mapping of a publicly available endpoint to your backend service. A virtual host defines the way that the public facing API proxy is exposed to an app. For example, the virtual host determines if the API proxy can be accessed by using SSL. When you configure an API proxy, edit its ProxyEndpoint definition to configure the virtual hosts that is uses.

The TargetEndpoint is the outbound equivalent of the ProxyEndpoint. A TargetEndpoint functions as an HTTP client from Edge to a backend service. When creating an API proxy, you can configure it to use zero or more TargetEndpoints. 

Learn more:

Configuring a TargetEndpoint

To configure a TargetEndpoint, edit the XML object that defines the TargetEndpoint. You can edit the TargetEndpoint by editing the XML file that defines the TargetEndpoint in your API proxy, or edit it in the Edge management UI. 

To use the Edge management UI to edit the TargetEndpoint:

  1. Login to the Edge management UI at https://enterprise.apigee.com.
  2. In the Edge management UI menu, select APIs.
  3. Select the name of the API proxy to update.
  4. Select the Development tab.
  5. Under Target Endpoints, select default.
  6. In the code area, the TargetEndpoint definition appears, similar to below:

    <TargetEndpoint name="default">
        <Description/>
        <FaultRules/>
        <Flows/>
        <HTTPTargetConnection>
            <Properties/>
            <URL>https://weather.yahooapis.com</URL>
        </HTTPTargetConnection>
        <PreFlow name="PreFlow">
            <Request/>
            <Response/>
        </PreFlow>
        <PostFlow name="PostFlow">
            <Request/>
            <Response/>
        </PostFlow>
    </TargetEndpoint>
  7. Make any changes and save the proxy. If the API proxy has been deployed, saving it redeploys it with the new setting.

Notice that the TargetEndpoint definition contains a name property. You use the value of the name property to configure the ProxyEndpoint definition of an API proxy to use the TargetEndpoint. See API proxy configuration reference for more.

TargetEndpoints can be configured to reference a TargetServer, rather than the explicit target URL. A TargetServer configuration decouples concrete endpoint URLs from TargetEndpoint configurations. TargetServers are used to support load balancing and failover across multiple backend server instances.

Shown below is an example TargetServer definition:

<TargetServer  name="target1">
  <Host>https://weather.yahooapis.com</Host>
  <Port>80</Port>
  <IsEnabled>true</IsEnabled>
</TargetServer> 

A TargetServer is referenced by name in the <HTTPTargetConnection> element in a TargetEndpoint definition. You can configure one or more named TargetServers, as shown below. 

<TargetEndpoint name="default">
 ...
  <HTTPTargetConnection>
    <LoadBalancer>
      <Server name="target1" />
      <Server name="target2" />
    </LoadBalancer>
    <Path>/test</Path>
  </HTTPTargetConnection>
  ...
</TargetEndpoint>

See Load balancing across backend servers for more.

Configuring one-way SSL to the backend server

To configure one-way SSL access from Edge (SSL client) to the backend server (SSL server) does not require any additional configuration on Edge. It is up to the backend server to configure SSL correctly.  

You only need to make sure that the <URL> element in the TargetEndpoint definition, or the <Host> element in a TargetServer definition, references the backend service by the HTTPS protocol.

Configuring two-way SSL to the backend server

If you want to support two-way SSL between Edge (SSL client) and the backend server (SSL server):

  • Create a keystore on Edge and upload the Edge cert and private key. This cert and private key is typically supplied by the backend server. 
  • If the backend server uses a self-signed cert, then create a truststore on Edge that contains the cert that you received from the backend server. 
  • Update the TargetEndpoint of any API proxies that reference the backend server to configure SSL access. 

Use the following procedure to configure two-way SSL:

  1. Create the keystore on Edge, and upload the cert and private key, by using the procedure described here: KeyStores and TrustStores.

    When you create the keystore, you specify the keystore name and key alias. You need that information to configure the TargetEndpoint. 
  2. If necessary, create a truststore on Edge, and upload the cert, as described here: KeyStores and TrustStores.

    This step is only required when the backend server uses a self-signed cert. If so, create a truststore on Edge that contains the cert that you received from the backend server. 

    When you create the truststore, you specify the truststore name. You need that information to configure the TargetEndpoint. 
     
  3. Use the Edge management UI to update the TargetEndpoint definition for the API proxy (or, if you define the API proxy in XML, edit the XML files for the proxy):
    1. Login to the Edge management UI at https://enterprise.apigee.com.
    2. In the Edge management UI menu, select APIs.
    3. Select the name of the API proxy to update.
    4. Select the Development tab.
    5. Under Target Endpoints, select default.
    6. In the code area, edit the <HTTPTargetConnection> element to add the <SSLInfo> element. Make sure to specify the correct keystore and key alias and set both the <Enabled> and <ClientAuthEnabled> elements to true:

      <TargetEndpoint name="default">
        …
        <HTTPTargetConnection>
          <SSLInfo>
            <Enabled>true</Enabled>
            <ClientAuthEnabled>true</ClientAuthEnabled>
            <KeyStore>myKeystore</KeyStore>
            <KeyAlias>myKey</KeyAlias>
          </SSLInfo>

          <URL>https://myservice.com</URL>
        </HTTPTargetConnection>
        …
      </TargetEndpoint>

      If your TargetEndpoint references a TargetServer instead of a specific URL, update the TargetServer definition to reference the new keystore and key alias. For example:

      <TargetServer name="target1"> 
          ... 
          <SSLInfo>
              <Enabled>true</Enabled> 
              <ClientAuthEnabled>true</ClientAuthEnabled> 
              <KeyAlias>myKeystore</KeyAlias> 
              <KeyStore>myKey</KeyStore> 
          </SSLInfo> 
      </TargetServer>

      You do not have to save the API proxy if you update a TargetServer definition. 
    7. Save the API proxy. If the API proxy has been deployed, saving it redeploys it with the new setting.

If your SSL configuration required that you create a truststore, modify the <TargetEndpoint> definition to add a reference to the truststore:

  <HTTPTargetConnection>
    <SSLInfo>
      <Enabled>true</Enabled>
      <ClientAuthEnabled>true</ClientAuthEnabled>
      <KeyStore>myKeystore</KeyStore>
      <KeyAlias>myKey</KeyAlias>
      <TrustStore>myTrustStore</TrustStore>
    </SSLInfo>
    <URL>https://myservice.com</URL>
  </HTTPTargetConnection>

For more information on the options available in the TargetEndpoint, see API proxy configuration reference

Help or comments?

  • Something's not working: See Apigee Support
  • Something's wrong with the docs: Click Send Feedback in the lower right.
    (Incorrect? Unclear? Broken link? Typo?)