I’m happy

HTTPS / SSL Solution Proposal

Edit Subject

People: API providers, API consumers

Problem: cannot use HTTPS/SSL to encrypt API requests and responses with Apigee

Proposed Solution Overview: provide support for HTTPS with 1-way SSL certificates. 2-way SSL certificate support will not be offered immediately.

Proposed Solution for API Consumers:
Apigee would open the HTTPS port (443) and provide a wildcard SSL certificate, *.apigee.com. Developers consuming APIs would have their requests and responses encrypted from the client to Apigee and from Apigee to the target API. For example, a request to the Twitter API using Apigee would use a URL like:
https://my-twitter.apigee.com/statuses/public_timeline.jsonThe developer would not be required to perform any additional steps to support SSL.

Proposed Solution for API Providers (with DNS Domain Mapping):
Apigee would open the HTTPS port (443) and the API provider would need to upload a public SSL certificate to Apigee. Requests and responses would be encrypted from clients to Apigee and from Apigee to the target API. A developer using Apigee would make requests with URLs like: https://api.alohacrm.com/accounts.json Important: for DNS Domain Mapping the API provider must upload to Apigee the public SSL certificate for the domain being mapped, for example api.alohacrm.com.

Proposed Solution for API Providers (with Reverse Proxy on HTTP Server):
Apigee would open the HTTPS port (443) and provide a wildcard SSL certificate, *.apigee.com. Requests and responses would be encrypted from clients to Apigee and from Apigee to the target API. A developer using Apigee would make requests with URLs like: https://alohacrm.apigee.com/accounts.jsonAssuming the API provider already has a SSL certificate on his API servers, he would not need to take any additional steps.

Proposed Solution for API Providers (without Domain Mapping):
Apigee would open the HTTPS port (443) and provide a wildcard SSL certificate, *.apigee.com. Requests and responses would be encrypted from clients to Apigee and from Apigee to the target API. A developer using Apigee would make requests with URLs like: https://alohacrm.apigee.com/accounts.jsonAssuming the API provider already had a working SSL certificate on his API servers he would not need to take any additional steps.

8 people like
this idea +1

Implemented

Official Response

EMPLOYEE

Demote

Remove

Marsh (Product Manager) November 10, 2009 14:56

Update: we now have SSL support for the first and last case in Brian's proposal, details available on the blog. As always, feedback welcome!

I’m excited

0

Edit

Delete

Remove

Official

TiernanO September 11, 2009 16:46

Sounds cool... would our certs that publishers send to you need to be signed properly, or could we use self signed certs?

good point! good point! (undo)
- view -1 more comments
- Manoj Chakraboty September 11, 2009 17:38
  
  yes it can be a self signed cert too.
  
  Edit
  
  Delete
  
  Remove
- Cancel
- Cancel
Edit Your Reply (some HTML allowed)
What's the status of this idea?

Sounds cool... would our certs that publishers send to you need to be signed properly, or could we use self signed certs?

How does this make you feel? Add Image

I'm
e.g. sad, anxious, confused, frustrated happy, confident, thankful, excited kidding, amused, unsure, silly indifferent, undecided, unconcerned
Cancel
0

Edit

Delete

Remove

Official

Dobes Vandermeer September 11, 2009 18:53

This looks good to me ...

Comment

good point! good point! (undo)
- Cancel
Edit Your Reply (some HTML allowed)
What's the status of this idea?

This looks good to me ...

How does this make you feel? Add Image

I'm
e.g. sad, anxious, confused, frustrated happy, confident, thankful, excited kidding, amused, unsure, silly indifferent, undecided, unconcerned
Cancel
I’m happy

0

Edit

Delete

Remove

Official

Mike September 17, 2009 17:18

A co-worker and I were just discussing the lack of SSL when using apigee this would be great.

good point! good point! (undo)
- view -1 more comments
- Marsh (Product Manager) November 10, 2009 14:59
  
  Mike, you can now proxy an SSL API by prefixing the setup URL with "https://". See the blog post for more details.
  
  Edit
  
  Delete
  
  Remove
- Cancel
- Cancel
Edit Your Reply (some HTML allowed)
What's the status of this idea?

A co-worker and I were just discussing the lack of SSL when using apigee this would be great.

How does this make you feel? Add Image

I'm
e.g. sad, anxious, confused, frustrated happy, confident, thankful, excited kidding, amused, unsure, silly indifferent, undecided, unconcerned
Cancel
0

Edit

Delete

Remove

Official

brettser September 29, 2009 20:21

Hi, your FAQ mentions:
You can continue to use your existing API identity, authentication and authorization scheme with Apigee. If you currently use developer keys, you can use these with Apigee.

As an API provider, if I currently use 2way SSL with signed digital certs and user/pass then is it possible to set up apigee with the cert and with the user/pass details so that developer can send an unauthorized request to apigee and have apigee send a secure request? I couldnt see this in the API setup/config.

good point! good point! (undo)
- view 4 more comments
- brian (Employee) September 30, 2009 04:37
  
  Hi brettser,
  
  at the moment we are building out the solutions specified above for 1-way SSL. once we finish those, we'll turn our attention to 2-way SSL.
  
  Would you be up for giving us feedback once we craft our solution proposal for 2-way?
  
  -b
  
  Edit
  
  Delete
  
  Remove
- Cancel
- brettser September 30, 2009 19:02
  
  Yes - absolutely
  
  Edit
  
  Delete
  
  Remove
- Cancel
- brian (Employee) September 30, 2009 19:17
  
  awesome. we'll be in touch.
  
  Edit
  
  Delete
  
  Remove
- Cancel
- Manoj Chakraboty November 10, 2009 07:25
  
  Hello brettser,
  to Make sure i got your problem. You have an api which uses HttpBasic Auth ( assume thats what you mean when u say u have uid/pwd) and to encrypt the above credentials you use two way SSL.
  
  Couple of questions:
  1) with apigee do you still need two way SSL, u can authenticate that the request came from the client without using Two way SSL since apigee is a proxy all requests will be coming from a static IP.
  2) Can you explain the following statement "developer can send an unauthorized request to apigee and have apigee send a secure request". do you want to expose a unsecure api for a secure api and why would you want to do that.
  
  One way of solving your use case would be proxy your api with apigee using 1-way ssl and exposing a secured 1 -way ssl with the developer.
  
  so the developer can send a authorized request which will be encrypted ( since he would be using a secure api) and the credentials are forwared to your endpoint using 1-way ssl.
  
  please let me know your thoughts and if that solves your use case
  
  Edit
  
  Delete
  
  Remove
- Cancel
- Marsh (Product Manager) November 10, 2009 14:55
  
  Manoj, in point #1, will the pool of static addresses grow in the future? What if we migrate to a new data center?
  
  Edit
  
  Delete
  
  Remove
- Cancel
- Manoj Chakraboty November 10, 2009 18:13
  
  Hey Marsh,
  when we move to the new data center we would do a reverse NAT so for an endpoint it would look like coming from a single IP.
  
  Hope that answers the question.
  
  Edit
  
  Delete
  
  Remove
- Cancel
- Cancel
Edit Your Reply (some HTML allowed)
What's the status of this idea?

Hi, your FAQ mentions: You can continue to use your existing API identity, authentication and authorization scheme with Apigee. If you currently use developer keys, you can use these with Apigee. As an API provider, if I currently use 2way SSL with signed digital certs and user/pass then is it possible to set up apigee with the cert and with the user/pass details so that developer can send an unauthorized request to apigee and have apigee send a secure request? I couldnt see this in the API setup/config.

How does this make you feel? Add Image

I'm
e.g. sad, anxious, confused, frustrated happy, confident, thankful, excited kidding, amused, unsure, silly indifferent, undecided, unconcerned
Cancel
EMPLOYEE

0

Edit

Delete

Remove

Official

Marsh (Product Manager) November 10, 2009 14:56

Update: we now have SSL support for the first and last case in Brian's proposal, details available on the blog. As always, feedback welcome!

Comment

good point! good point! (undo)
- Cancel
Edit Your Reply (some HTML allowed)
What's the status of this idea?

Update: we now have SSL support for the first and last case in Brian's proposal, <a href="http://www.apigee.com/blog_detail/new_features_ssl_support_and_remember-me/">details available on the blog</a>. As always, feedback welcome!

How does this make you feel? Add Image

I'm
e.g. sad, anxious, confused, frustrated happy, confident, thankful, excited kidding, amused, unsure, silly indifferent, undecided, unconcerned
Cancel
0

Edit

Delete

Remove

Official

Wes Mahler June 28, 2010 19:46

Your guys' ssl thing does not work.

Comment

good point! good point! (undo)
- Cancel
Edit Your Reply (some HTML allowed)
What's the status of this idea?

Your guys' ssl thing does not work.

How does this make you feel? Add Image

I'm
e.g. sad, anxious, confused, frustrated happy, confident, thankful, excited kidding, amused, unsure, silly indifferent, undecided, unconcerned
Cancel
0

Edit

Delete

Remove

Official

Wes Mahler June 28, 2010 19:51

It forces me to use

*.company.apigee.com

for my apigee api url, and that does not allow my cert to work correctly.

please email me! I can't use the service

Comment

good point! good point! (undo)
- Cancel
Edit Your Reply (some HTML allowed)
What's the status of this idea?

It forces me to use *.company.apigee.com for my apigee api url, and that does not allow my cert to work correctly. please email me! I can't use the service

How does this make you feel? Add Image

I'm
e.g. sad, anxious, confused, frustrated happy, confident, thankful, excited kidding, amused, unsure, silly indifferent, undecided, unconcerned
Cancel
I’m frustrated

0

Edit

Delete

Remove

Official

Timothy July 27, 2010 02:24

Hi, I can't appear to use this.

I have an api that looks as follows:

"https://api.postalmethods.com/2009-09..."

I created an api proxy in apigee, putting in the https. But what I get back is an error, saying OPEN SSL error, cannot match hostname.

Comment

good point! good point! (undo)
- Cancel
Edit Your Reply (some HTML allowed)
What's the status of this idea?

Hi, I can't appear to use this. I have an api that looks as follows: "https://api.postalmethods.com/2009-09-09/PostalWS.asmx?WSDL" I created an api proxy in apigee, putting in the https. But what I get back is an error, saying OPEN SSL error, cannot match hostname.

How does this make you feel? Add Image

I'm
e.g. sad, anxious, confused, frustrated happy, confident, thankful, excited kidding, amused, unsure, silly indifferent, undecided, unconcerned
Cancel
0

Edit

Delete

Remove

Official

Manoj Chakraboty July 27, 2010 06:22

Hello Timothy,

we currently support ssl endpoint as https://..apigee.com. However as you duly noted that this does not match the hostname because according to the RFC *.apigee.com does not match to *.*.apigee.com and the hostname verfication fails.

we are in the process of deploying a solution to fix this where in you can access a ssl endpoint as -.apigee.com i.e. assuming you domain name is test it would be postalmethods-test.apigee.com.
this solution is going to go live by 08/03.

In the meantime if you can disable host name verification in your code this would give some relief till next Tuesday.

Hope that answers your question.

Comment

good point! good point! (undo)
- Cancel
Edit Your Reply (some HTML allowed)
What's the status of this idea?

Hello Timothy, we currently support ssl endpoint as https://<apiname>.<domainname>.apigee.com. However as you duly noted that this does not match the hostname because according to the RFC *.apigee.com does not match to *.*.apigee.com and the hostname verfication fails. we are in the process of deploying a solution to fix this where in you can access a ssl endpoint as <apiname>-<domainname>.apigee.com i.e. assuming you domain name is test it would be postalmethods-test.apigee.com. this solution is going to go live by 08/03. In the meantime if you can disable host name verification in your code this would give some relief till next Tuesday. Hope that answers your question.

How does this make you feel? Add Image

I'm
e.g. sad, anxious, confused, frustrated happy, confident, thankful, excited kidding, amused, unsure, silly indifferent, undecided, unconcerned
Cancel
I’m confused

0

Edit

Delete

Remove

Official

roguecartel July 27, 2010 14:49

Hi, is there a way I can set my endpoint to just *.apigee.com? Seems like since that was set, there's a way to do that, maybe?

Otherwise, how do I disable hostname verification in my code (ruby on rails)?

Thanks.

Comment

good point! good point! (undo)
- Cancel
Edit Your Reply (some HTML allowed)
What's the status of this idea?

Hi, is there a way I can set my endpoint to just *.apigee.com? Seems like since that was set, there's a way to do that, maybe? Otherwise, how do I disable hostname verification in my code (ruby on rails)? Thanks.

How does this make you feel? Add Image

I'm
e.g. sad, anxious, confused, frustrated happy, confident, thankful, excited kidding, amused, unsure, silly indifferent, undecided, unconcerned
Cancel
0

Edit

Delete

Remove

Official

Manoj Chakraboty July 27, 2010 15:45

some months back we introduced the concept of a domain name as a namespace qualifier to qualify the proxy names in order to avoid proxy name collision.

as i mentioned please wait till 08/03 we would deploy the change to allow access to ssl endpoints as -.apigee.com

in the meantime for disabling hostname verification in ruby can u try this.
http.verify_mode = OpenSSL::SSL::VERIFY_NONE

Comment

good point! good point! (undo)
- Cancel
Edit Your Reply (some HTML allowed)
What's the status of this idea?

some months back we introduced the concept of a domain name as a namespace qualifier to qualify the proxy names in order to avoid proxy name collision. as i mentioned please wait till 08/03 we would deploy the change to allow access to ssl endpoints as <name>-<domainname>.apigee.com in the meantime for disabling hostname verification in ruby can u try this. http.verify_mode = OpenSSL::SSL::VERIFY_NONE

How does this make you feel? Add Image

I'm
e.g. sad, anxious, confused, frustrated happy, confident, thankful, excited kidding, amused, unsure, silly indifferent, undecided, unconcerned
Cancel
EMPLOYEE

0

Edit

Delete

Remove

Official

Marsh (Product Manager) August 10, 2010 22:22

The change Manoj mentioned above has been pushed into production. Details can be found on our blog. Basically, any endpoint that followed the subdomain.username.apigee.com pattern can now be accessed via subdomain-username.apigee.com. Please let us know if you have any feedback!

Comment

good point! good point! (undo)
- Cancel
Edit Your Reply (some HTML allowed)
What's the status of this idea?

The change Manoj mentioned above has been pushed into production. Details can be found <a href="http://apigee.com/blog_detail/new_apigee_endpoints_to_improve_ssl/">on our blog</a>. Basically, any endpoint that followed the subdomain.username.apigee.com pattern can now be accessed via subdomain-username.apigee.com. Please let us know if you have any feedback!

How does this make you feel? Add Image

I'm
e.g. sad, anxious, confused, frustrated happy, confident, thankful, excited kidding, amused, unsure, silly indifferent, undecided, unconcerned
Cancel