Layer7 API Management

  • Private Community

  • 1.  CRL validation in CA API gateway for inbound traffic

    Posted Jan 21, 2018 11:49 AM

    Dear Techies ,

     

    Could  you please let  me know what is the best way to validate CRL (certificate revocation list ) in CA API gateway for all incoming request . As i know under manage certificate there is option in each certificate property as revocation checking default are disabled after selecting default it should validate and through error in case if any client trying to access with revoked certificate .

     

    Thanks in advance .

     

     

    Thanks!
    Prashant Srivastava



  • 2.  Re: CRL validation in CA API gateway for inbound traffic
    Best Answer

    Broadcom Employee
    Posted Jan 22, 2018 02:52 PM

    Hi,

    You can do crl checking on incoming requests but typically that means you have the users defined and the certificates defined in the gateway. 

     

    Here is a sample use case, IIP=Internal Identity provider but you can use ldap etc..

      1. P > Create User > Name: test_crl_ssl > import client cert  -> test1ssl.pem
      2. IIP > Create User > Name: test_crl_ssl2 > import client cert -> test2ssl2.pem
      3. IIP > Properties > Certificate Validation > Use Default
    2. Define policy
    WSS Sign SOAP Request Sign request element /soapenv:Envelope/soapenv:Body At least one   User: test1ssl [IIP] (import client cert test1ssl.pem)   User: test2ssl2 [IIP] (import client cert test2ssl2.pem)

    I assume if you want to check all users you dont want to do it this way but are all users going to authenticate and use certificate based authentication? 

     

    Can you define more of your use case. What traffic is coming in will you be using an ldap will you be authenticating the user? etc...



  • 3.  Re: CRL validation in CA API gateway for inbound traffic

    Posted Jan 23, 2018 02:00 AM

    Thank you for your reply CHARLES LILIENKAMP!!

     

    Yes . I want to check CRL for all user who are trying to access . Also in my environment we are using secure card (included certificate).

    I have already imported certificate under manage certificate that is associated with secure card and configured property (signing client cert and trust as enabled ) but here problem is its failing for valid cert as well .

     

    Error message :

     

    2018-01-23T07:35:49.644+0100 INFO 772 com.l7tech.server.policy.assertion.ServerSslAssertion: 4114: Found client

    certificate for CN=******S***** CA 1, OU=** 017, OU=CA, O=***, C=XX

    2018-01-23T07:35:49.644+0100 WARNING 772 com.l7tech.server.identity.fed.FederatedIdentityProviderImpl: 2034: Unable

    to build path for Certificate CN=Prashant SrivastavaOU=people, OU=CA, O=***, C=XX: unable to find val

    id certification path to requested target; related error(s) [Revocation check failed for certificate 'CN=Prashant S

    rivastava (XX), OU=people, OU=XX, O=XX, C=XX.]

     

    Thanks!
    Prashant Srivastava