Layer7 API Management

  • 1.  Frequently Changing Certificates?

    Posted Oct 02, 2016 06:30 PM

    Hoping someone can provide guidance... I have a API that I need to route to, but their certificate seems to change frequently (or maybe they have different certs on different services).  As a result, my routing calls fail.

     

    What changes do I need to make to support something like this?  How should I go about importing their certificates if I can't anticipate what they will be?



  • 2.  Re: Frequently Changing Certificates?

    Posted Oct 03, 2016 11:04 AM

    If the backend isn't a Self Signed Cert and has had a Cert Authority sign their certs, then you can trust the signer. Usually this guy is valid for a few more years compared to the server certificate itself.

     

    Make sure the signing cert is in your trust store ( i.e. 'Manage Certficiates' ) and make sure in the 'OPTIONS' that this guy is used for 'Outbound SSL Connections' and in the 'Validation' tab, that this 'Certificate is a trust anchor'.

     

    What this means is, that any cert that is immediately signed by this Trust Anchored Cert, will automatically be trusted, as we trust the signer.

     

    So, going further, any cert/private key that is deployed on your backend will be trusted, as long as those certs were signed via the signing cert we configured to be a 'Trust Anchor'.

     

    hope this helps,

     

    Doyle



  • 3.  Re: Frequently Changing Certificates?
    Best Answer

    Broadcom Employee
    Posted Oct 03, 2016 06:17 PM

    We have the following procedure in the MAG to deal with social login providers who change their certificates. You need to set cluster-wide properties.  These properties configure the MAG to accept any certificate signed by well known CA's (Certificate Authorities).  

    Accept Any Signed Certificates 

    This is an optional procedure.

    If you configure MAG to accept any certificate signed by well known CA's (Certificate Authorities), you do not have to import certificates.

    Providers change their ssl certificates frequently. To avoid connection issues, set the following cluster-wide properties: 

    •  ioHttpsHostAllowWildcard=true
    •  pkix.useDefaultTrustAnchors=true

    To set cluster-wide properties:

    1. Go to Tasks, Global Settings, Manage Cluster-Wide Properties.
    2. Click Add.
    3. Select ioHttpsHostAllowWildcard from the key list and set the value to true. Click OK.
    4. Click Add.
      Type pkix.useDefaultTrustAnchors as the key and set the value to true. Click OK

     

    Hope this helps!

    Simon