Azure API Management – x509 Policies and Security Constraints

When working with x509 certificates in Azure Api Management. It is possible to accept an x509 certificate from the initial call to identify the client.

This means the POST to Azure Api Management includes the x509 Certificate and in the Policies there should be a validation to ensure that the certificate is present.

Where thins go astray is when we have an x509 Certificate to secure the backend channel. Now we have a possiblitity of two certiifcates.

One to identify the client. One to secure the back end channel.

Great! No issues so far we can use a check to validate the certificate as it comes in and we can attach an x509 Certificate to secure the back end with a one liner in an APIM Policy.

Here is where issues arise!

What are the issue which can present themselves in this scenario?

Unable to update API definition manually

a) When securing the back end channel from APIM, try to update your API Definition from the GUI (Portal) and let me know if you can attach the x509 certificate in order to not have the API complain about a missing certificate before it renders the swagger definition for APIM to consume….

Move two certificates to the API

b) What is your first x509 Certificate is used to identify a particular client and match a database in the API. Now we have to send down 2 x509 Certificates.

Here are fixes to both these issues in APIM:

Unable to update API definition manually

For A where we have issues updating manually due to x509 Certificates not being able to be attached in the Portal. (For that matter it is also not possible to do so in the Developer Portal when you use the Try It! feature as well. So your clients are stuck using unit tests and cannot use the tooling manually) 

https://www.codit.eu/blog/2016/01/25/deploy-your-swagger-api-to-azure-api-management-automatically/

https://mobilefirstcloudfirst.net/2017/07/setting-continuous-delivery-azure-api-management-vsts/

Move two certificates to the API

<!–relay cert –>
<choose>
<when condition=”@(context.Request.Certificate != null )”>
<set-header name=”X-APIM-ClientCert” exists-action=”override”>
<value>@(Convert.ToBase64String(context.Request.Certificate.GetRawCertData()))</value>
</set-header>
</when>
</choose>

<!–Send x509 Certifcate to secure back end –>
<authentication-certificate thumbprint=”your guid here” />

Relay will get you the client cert (x509) the client sent and move it in the x-apim-clientcert (custom) header, the authentication-certificate-thumbrint will relay your cert in the x-arr header. You have 2 headers going downstream…ensure you enforce HTTPS.

x-arr is for the apim to api/webapp mutual tls authentication
x-apim-client(or what ever you choose to call it) will be to relay the client cert downstream

Happy Coding!