Layer7 API Management

HI,

Already opened a case few minutea ago, thought I ccould also post it here.

On API Gateway 9.4CR05 or 10CR01

As part of our integration between API Gateway and Informatica Cloud (IICS) we need to call rest API on the Informatica Cloud side, such as https://docs.informatica.com/integration-cloud/cloud-platform/current-version/rest-api-reference/platform-rest-api-version-3-resources/login.html 

When building an API to call this login endpoint: https://dm-us.informaticacloud.com/saas/public/core/v3/login

We received error -5 "unknown_ca". Nothing in ssg logs on v10 but on 9.4:

[2020/10/28-15:14:17,649]-[WARNING]-[805]-[com.l7tech.server.policy.assertion.ServerHttpRoutingAssertion]-4042: Problem routing to 

https://dm-us.informaticacloud.com/saas/public/core/v3/login

. Error msg: Unable to obtain HTTP response from 

https://dm-us.informaticacloud.com/saas/public/core/v3/login:

 Received fatal alert: unknown_ca

Tracing at the network level we can see that during SSL handshaking, Informatica is sending as part of Server Hello a certificate request, with CA we do not know:

 

How can we bypass this optional certificate request on the API Gateway ? We don't have access to .pem for those CA.

Load the server certificate into the trust store and declare it as trusted for Outbound SSL. This is how we declare explicit trust in a server certificate. You can retrieve it using the url for the endpoint.

------------------------------
Jay MacDonald - Adoption Architect - Broadcom API Management (Layer 7)
------------------------------

Original Message:
Sent: 10-28-2020 10:21 AM
From: Philippe Brand
Subject: Layer7 option to bypass CA checking for SSL Client cert request

HI,

Already opened a case few minutea ago, thought I ccould also post it here.

On API Gateway 9.4CR05 or 10CR01

As part of our integration between API Gateway and Informatica Cloud (IICS) we need to call rest API on the Informatica Cloud side, such as https://docs.informatica.com/integration-cloud/cloud-platform/current-version/rest-api-reference/platform-rest-api-version-3-resources/login.html 

When building an API to call this login endpoint: https://dm-us.informaticacloud.com/saas/public/core/v3/login

We received error -5 "unknown_ca". Nothing in ssg logs on v10 but on 9.4:

[2020/10/28-15:14:17,649]-[WARNING]-[805]-[com.l7tech.server.policy.assertion.ServerHttpRoutingAssertion]-4042: Problem routing to 

https://dm-us.informaticacloud.com/saas/public/core/v3/login

. Error msg: Unable to obtain HTTP response from 

https://dm-us.informaticacloud.com/saas/public/core/v3/login:

 Received fatal alert: unknown_ca

Tracing at the network level we can see that during SSL handshaking, Informatica is sending as part of Server Hello a certificate request, with CA we do not know:

 

How can we bypass this optional certificate request on the API Gateway ? We don't have access to .pem for those CA.

It is indeed working on 10CR01 and not 9.4. Made a mistake above.

In fact problem is not on trusting the server. I do have intermediate and Root CA of remote server (Hydrant and QuoVadis, for Informatica Cloud).
Problem comes from handling SSL ***Client*** Certificate request in SSL handshaking.
On 9.4 it seems it does check on whether it trust advertised CA list or not (Informatica Cloud Issuing CA and Internal Hostnamed Root CA). On v10 it just ignore CA list and returns empty cert to the server (which is normal behaviour).
My Screenshot above shows it. We are way passed Server Cert, already exchanged Client Hello and Server Hello.

Thus problem solved upgrading to v10. I didn't see this explicitely mentioned in v10 documentation's changelog though.

Screenshot on v10: