Layer7 API Management

  • 1.  GMU - Features

    Posted Aug 16, 2017 12:06 PM

    Hello Guys,

     

    I was wondering does GMU offers any features such as export all policies 

    1) export all policies except few which I want to exclude.

    2) certificate/keys can be exported/imported exclusively using GMU.

     

    Thanks,

    Ankush



  • 2.  Re: GMU - Features
    Best Answer

    Broadcom Employee
    Posted Aug 16, 2017 05:49 PM

    Ankush,

     

    In response to your questions:

    1) export all policies except few which I want to exclude.

    Response: You can not exclude only certain policies during the export but can through the import back. Worthy of a idea.

    2) certificate/keys can be exported/imported exclusively using GMU.

    Response: Yes, please look to use the restman options within the GMU or use the Restman command directly.

    Import private key through REST API 

     

    Sincerely,

     

    Stephen Hughes

    Director, CA Support



  • 3.  Re: GMU - Features

    Posted Aug 17, 2017 07:08 AM

    Thanks, Stephen !!

     

    I tried to import a trusted certificate using gmu with restman and it throwed me error. Here just for testing I used both POST & PUT.

     

    ****************************POST METHOD*******************************

    2017-08-17T02:33:17.057-0700 INFO 213 com.l7tech.server.message: Processing request for service: Gateway REST Management Service [/restman/*]
    2017-08-17T02:33:17.058-0700 INFO 213 com.l7tech.server.policy.assertion.ServerSslAssertion: 4113: No Client Certificate was present in the request.
    2017-08-17T02:33:17.059-0700 INFO 213 com.l7tech.server.policy.assertion.credential.http.ServerHttpBasic: 4104: Found user: admin
    2017-08-17T02:33:17.059-0700 WARNING 213 com.l7tech.external.assertions.gatewaymanagement.server.ServerRESTGatewayManagementAssertion: 9050: Error processing management request: Exception encountered processing a rest message: javax.ws.rs.ProcessingException: Resource Java method invocation error. Caused by: argument type mismatch
    2017-08-17T02:33:17.060-0700 WARNING 213 com.l7tech.server.MessageProcessor: 3016: Request routing failed with status 601 (Error in Assertion Processing)
    2017-08-17T02:33:17.060-0700 WARNING 213 com.l7tech.server.message: Message was not processed: Error in Assertion Processing (601)

     

    **********************PUT METHOD*****************************

    2017-08-17T04:07:10.031-0700 WARNING 1361 com.l7tech.external.assertions.gatewaymanagement.server.rest.exceptions.ExceptionMapper: Resource access error processing management request: HTTP 405 Method Not Allowed
    2017-08-17T04:07:10.031-0700 INFO 1361 com.l7tech.external.assertions.gatewaymanagement.server.rest.exceptions.ExceptionMapper: Error processing management request:HTTP 405 Method Not Allowed
    2017-08-17T04:07:10.044-0700 INFO 1361 com.l7tech.server.message: Processing request for service: Gateway REST Management Service [/restman/*]
    2017-08-17T04:07:10.045-0700 INFO 1361 com.l7tech.server.policy.assertion.ServerSslAssertion: 4113: No Client Certificate was present in the request.
    2017-08-17T04:07:10.045-0700 INFO 1361 com.l7tech.server.policy.assertion.credential.http.ServerHttpBasic: 4104: Found user: admin
    2017-08-17T04:07:10.045-0700 WARNING 1361 com.l7tech.external.assertions.gatewaymanagement.server.ServerRESTGatewayManagementAssertion: 9050: Error processing management request: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <l7:Error xmlns:l7="http://ns.l7tech.com/2010/04/gateway-management">
    <l7:Type>NotAllowed</l7:Type>
    <l7:TimeStamp>2017-08-17T04:07:10.031-07:00</l7:TimeStamp>
    <l7:Link rel="self" uri="https://staging-portal-gateway-ssl.zetaoptdemo.com:8443/restman/1.0/trustedCertificates/"/>
    <l7:Detail>HTTP 405 Method Not Allowed</l7:Detail>
    </l7:Error>

    2017-08-17T04:07:10.046-0700 WARNING 1361 com.l7tech.server.message: Message processed with HTTP error code

    *****************************************************************************

     

     

    Thanks,

    Ankush



  • 4.  Re: GMU - Features

    Broadcom Employee
    Posted Aug 17, 2017 12:21 PM

    Ankush,

     

    Please provide the commands that you ran to test this as the content-type, HTTP method, and other URL options are important to make this work.

     

    Here are some examples using Restman:

    Create a new trusted certificate:

    HTTP Method: Post

    URI: /restman/1.0/trustedCertificates

    Header: Content-type=application/xml

    Payload sample: Attached post_create_certificate.xml file

     

    Update a trusted certificate:

    HTTP Method: Put

    URI: /restman/1.0/trustedCertificates/{id} (Sample aligned to the attached file: 69e22f4c815a7c4aa5910ecfbbdc4dd9)

    Header: Content-type=application/xml

    Payload sample: Attached put_update_certificate.xml file

     

    Sincerely,

     

    Stephen Hughes

    Director, CA Support

    Attachment(s)



  • 5.  Re: GMU - Features

    Posted Aug 21, 2017 12:12 PM

    Hi Stephen,

     

    Thanks !! trusted certificate import worked for me. I went on to try for private key import using gmu with restman option, getting below error:--

     

    **********************************************

    Command :-- ./GatewayMigrationUtility.sh restman --username admin --plaintextPassword '*****' -h staging-portal-gateway-ssl.zetaoptdemo.com --method POST --path 1.0/privateKeys/00000000000000000000000000000002:utcapiexplorersw.zetaoptdemo.com --request /home/ec2-user/utcapiexplorersw_1.xml --trustCertificate

    Another format of path :-- "--path 1.0/privateKeys/00000000000000000000000000000002" *********************************************

    XML file structure :-- uploaded sample file. *

    *********************************************

    GMU Error :-- Warning: TLS server certificate check has been disabled Running......... Status: 500 Internal Server Error Server: Apache-Coyote/1.1 Connection: close L7-Policy-URL: https://staging-portal-gateway-ssl.zetaoptdemo.com:8443/ssg/policy/disco?serviceoid=917023fe1fab66eef15ead9d3b8185d0 Content-Length: 683 Date: Mon, 21 Aug 2017 13:24:26 GMT Content-Type: text/xml;charset=utf-8 <?xml version="1.0" encoding="UTF-8"?> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Body> <soapenv:Fault> <faultcode>soapenv:Server</faultcode> <faultstring>Policy Falsified</faultstring> <faultactor>https://staging-portal-gateway-ssl.zetaoptdemo.com:8443/restman/1.0/privateKeys/00000000000000000000000000000002:utcapiexplorersw.zetaoptdemo.com</faultactor> <detail> <l7:policyResult status="Error in Assertion Processing" xmlns:l7="http://www.layer7tech.com/ws/policy/fault"/> </detail> </soapenv:Fault> </soapenv:Body> </soapenv:Envelope>

     

    **********************************************

    <l7:PrivateKey alias="utcapiexplorersw.zetaoptdemo.com" xmlns:l7="http://ns.l7tech.com/2010/04/gateway-management">
    <l7:CertificateChain>
    <l7:CertificateData>
    <l7:IssuerName>CN=********************</l7:IssuerName>
    <l7:SerialNumber>*****************</l7:SerialNumber>
    <l7:SubjectName>CN=utcapiexplorersw.zetaoptdemo.com</l7:SubjectName>
    <l7:Encoded>*****************************</l7:Encoded>
    </l7:CertificateData>
    </l7:CertificateChain>
    <l7:Properties>
    <l7:Property key="keyAlgorithm">
    <l7:StringValue>RSA</l7:StringValue>
    </l7:Property>
    </l7:Properties>
    </l7:PrivateKey>

     

     

    **********************************************

     

     

    Thanks,

    Ankush



  • 6.  Re: GMU - Features

    Posted Aug 21, 2017 12:12 PM

    Hi Stephen,

     

    Thanks !! trusted certificate import worked for me. I went on to try for private key import using gmu with restman option, getting below error:--

     

    **********************************************

    Command :-- ./GatewayMigrationUtility.sh restman --username admin --plaintextPassword '*****' -h staging-portal-gateway-ssl.zetaoptdemo.com --method POST --path 1.0/privateKeys/00000000000000000000000000000002:utcapiexplorersw.zetaoptdemo.com --request /home/ec2-user/utcapiexplorersw_1.xml --trustCertificate

    Another format of path :-- "--path 1.0/privateKeys/00000000000000000000000000000002" *********************************************

    XML file structure :-- uploaded sample file. *

    *********************************************

    GMU Error :-- Warning: TLS server certificate check has been disabled Running......... Status: 500 Internal Server Error Server: Apache-Coyote/1.1 Connection: close L7-Policy-URL: https://staging-portal-gateway-ssl.zetaoptdemo.com:8443/ssg/policy/disco?serviceoid=917023fe1fab66eef15ead9d3b8185d0 Content-Length: 683 Date: Mon, 21 Aug 2017 13:24:26 GMT Content-Type: text/xml;charset=utf-8 <?xml version="1.0" encoding="UTF-8"?> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Body> <soapenv:Fault> <faultcode>soapenv:Server</faultcode> <faultstring>Policy Falsified</faultstring> <faultactor>https://staging-portal-gateway-ssl.zetaoptdemo.com:8443/restman/1.0/privateKeys/00000000000000000000000000000002:utcapiexplorersw.zetaoptdemo.com</faultactor> <detail> <l7:policyResult status="Error in Assertion Processing" xmlns:l7="http://www.layer7tech.com/ws/policy/fault"/> </detail> </soapenv:Fault> </soapenv:Body> </soapenv:Envelope>

     

    **********************************************

    <l7:PrivateKey alias="utcapiexplorersw.zetaoptdemo.com" xmlns:l7="http://ns.l7tech.com/2010/04/gateway-management">
    <l7:CertificateChain>
    <l7:CertificateData>
    <l7:IssuerName>CN=********************</l7:IssuerName>
    <l7:SerialNumber>*****************</l7:SerialNumber>
    <l7:SubjectName>CN=utcapiexplorersw.zetaoptdemo.com</l7:SubjectName>
    <l7:Encoded>*****************************</l7:Encoded>
    </l7:CertificateData>
    </l7:CertificateChain>
    <l7:Properties>
    <l7:Property key="keyAlgorithm">
    <l7:StringValue>RSA</l7:StringValue>
    </l7:Property>
    </l7:Properties>
    </l7:PrivateKey>

     

     

    **********************************************

     

     

    Thanks,

    Ankush



  • 7.  Re: GMU - Features

    Posted Aug 22, 2017 03:23 PM

    Thanks, Stephen !!

     

    I figured out where I was lagging. Steps are working for me now.

     

    -Ankush



  • 8.  Re: GMU - Features

    Posted Dec 12, 2018 04:10 AM

    Hi Stephen

    where can i migrate trusted certificate with gmu?

    The option of migrateOut command not provide to export the trusted certificate. Miss i something?

     

    I have try this:

    #export

    wget --no-proxy --http-user=user --http-passwd=pass https://soucegw/restman/1.0/trustedCertificate

     

    #import

    GatewayMigrationUtility.bat restman -h destgw.fqdn -u user -plaintextPassword pass --trustHostname --trustCertificate --method POST --path /restman/1.0/trustedCertificates --request trustedCertificates

     

    But i receive this error:

     

    Running...
    Status: 500 Internal Server Error
    Server: Apache-Coyote/1.1
    Connection: close
    L7-Policy-URL: https://destgw:8443/ssg/policy/disco?serviceoid=10b7396740b7a6f958eb47529d289756
    Content-Length: 617
    Date: Wed, 12 Dec 2018 09:06:19 GMT
    Content-Type: text/xml;charset=utf-8
    <?xml version="1.0" encoding="UTF-8"?>
    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
        <soapenv:Body>
            <soapenv:Fault>
                <faultcode>soapenv:Server</faultcode>
                <faultstring>Policy Falsified</faultstring>
                <faultactor>https://destgw:8443/restman/1.0/trustedCertificates/</faultactor>
                <detail>
                    <l7:policyResult status="Error in Assertion Processing" xmlns:l7="http://www.layer7tech.com/ws/policy/fault"/>
                </detail>
            </soapenv:Fault>
        </soapenv:Body>
    </soapenv:Envelope>

     

    Thanks in advance



  • 9.  Re: GMU - Features

    Broadcom Employee
    Posted Dec 12, 2018 01:26 PM

    When you get the response back you need to remove some of the elements and add in the namespace identification. Another example of the restman usage for certificates: Need to create certs via RESTMAN API 

     

    Sincerely,

     

    Stephen Hughes

    Broadcom Support