Share via

Azure API Management | Certificate mTLS

Abhay Chandramouli 966 Reputation points
2023-12-06T23:05:20.2166667+00:00

Hi,

I have an APIM instance, which has an App Gateway attached.

I am using an external system to call apis using client certificate flow.

The Certificate is not reaching APIM due to the following snippet from the MS Doc

Certificate validation with context variables You can also create policy expressions with the context variable to check client certificates. Examples in the following sections show expressions using the context.Request.Certificate property and other context properties. Note Mutual certificate authentication might not function correctly when the API Management gateway endpoint is exposed through the Application Gateway. This is because Application Gateway functions as a Layer 7 load balancer, establishing a distinct SSL connection with the backend API Management service. Consequently, the certificate attached by the client in the initial HTTP request will not be forwarded to APIM. However, as a workaround, you can transmit the certificate using the server variables option. For detailed instructions, refer to Mutual Authentication Server Variables.

I have a couple of questions :-

  1. How to make Azure App GW pass the certificate as such to APIM, so that it could be consumed using either of validate-client-certificate policy or context.Request.Certificate ?
  2. If the above is not possible, can the certificate be sent in the header ? if yes, how to decode it and validate against the installed certificate on APIM. Please provide examples or code snippets
  3. Is this mTLS ? How can we achieve mTLS with APIM and App GW ?

Thanks

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,792 questions
Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
968 questions
Accepted answer
  1. Mike Urnun 9,761 Reputation points Microsoft Employee
    2023-12-07T03:21:07.8766667+00:00

    Hello @Abhay Chandramouli - Thanks for reaching out, and posting on the MS Q&A. It looks like the scenario can be accomplished as follows:

    • Handle the mTLS authentication on App Gateway
    • Use Server variables dedicated for mTLS to rewrite HTTP headers in a request that's sent to APIM if need be. Note the client_certificate_verification variable which holds the result of the verification.
    • On the APIM side, fetch the cert-related details from request headers and pass them to the validation policy accordingly.

    Please "Accept Answer" if the answer is helpful so that others in the community may benefit from your experience.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest