Layer7 API Management

Expand all | Collapse all

Is it possible to use a private key which is not a default SSL key for the Outbound https/mutual auth connection from Gateway to the endpoint application and also for Digital Signature while implementing ws-security?

  • 1.  Is it possible to use a private key which is not a default SSL key for the Outbound https/mutual auth connection from Gateway to the endpoint application and also for Digital Signature while implementing ws-security?

    Posted 03-28-2018 02:05 AM

    Hi,

     

    I have created a http route to the wsec recipient/endpoint which is expecting digital signature. The interface, which is being used for the outbound from CA PI Gateway to the endpoint is not using the default ssl private key for encryption.

    Because of some internal requirement this interface needs to use another certificate and the private key for this certificate is not the "default ssl key".

     

    Is there any way to select a non-default ssl key/private key for outbound digital signature to the wsec recipient?



  • 2.  Re: Is it possible to use a private key which is not a default SSL key for the Outbound https/mutual auth connection from Gateway to the endpoint application and also for Digital Signature while implementing ws-security?

    Posted 03-28-2018 05:59 PM

    Dear Rudra_Singh ,

    I'm not sure if I understand your question properly.

    For outbound ssl connection, you right click on the Route via HTTPS assertion, and "Select Private Key".

    For inbound ssl connection, you can select private key on listen port properties window -> SSL/TLS settings tab -> "Server private key"

     

    Regards,

    Mark



  • 3.  Re: Is it possible to use a private key which is not a default SSL key for the Outbound https/mutual auth connection from Gateway to the endpoint application and also for Digital Signature while implementing ws-security?

    Posted 04-12-2018 08:21 PM

    Hi Mark,

     

    I have created a policy with assertions to sign element, followed by "Request:Add ws-addressing" and "Apply ws-security 1.1".

    When I use "right click on the Route via HTTPS assertion, and "Select Private Key ->use custom private key)"". It didn't work from application testing perspective.

    The endpoint system is returning "The request could not be accepted because it failed to be authenticated".

     

    When I make new/custom private key the default ssl key and restart gateway, it is working end to end with route using default private key (which is actually new/custom private key with "make default ssl key" selected).

     

    How to make a custom private key to sign the element/request without making it a default ssl key?



  • 4.  Re: Is it possible to use a private key which is not a default SSL key for the Outbound https/mutual auth connection from Gateway to the endpoint application and also for Digital Signature while implementing ws-security?

    Posted 04-27-2018 03:11 AM

    Sorry, I may misunderstand your problem at the beginning, select private key for route via https assertion is for client cert authentication, but your question might be more related to custom wss recipient.

    Hope the document below can help,

    Change the WSS Assertion Recipient - CA API Gateway - 9.3 - CA Technologies Documentation 



  • 5.  Re: Is it possible to use a private key which is not a default SSL key for the Outbound https/mutual auth connection from Gateway to the endpoint application and also for Digital Signature while implementing ws-security?

    Posted 05-01-2018 09:35 PM

    Mark_HE,

     

    I already went through the documentation for "WSS Assertion recipient- CA API Gateway - 9.3 - CA Technologies Documentation " but not able to find the private key related details.

     

    The backend client is supporting SHA-256 signature algorithm and in order to meet their requirement we created a new certificate with algorithm as SHA-256.

    Previous default ssl/ cert was SHA384 which was not meeting the requirement of backend application.

    Once created the new certificate (SHA -256 supported) is made the default ssl and the API gateway restarted to make the interface work. Also shared the newly created SHA-256 supported public cert with the backend application.

     

    The policy includes assertions to sign element, followed by "Request:Add ws-addressing" and "Apply ws-security 1.1".

    For the inbound request we can select the private key at port level and there is no need to change the default ssl.

     

    Is it possible to use the sign element assertion with SHA-256 digest algorithm without making the newly created (SHA256 supported key) key the default ssl key? As suggested earlier I tried right click on the Route via HTTPS assertion, and "Select Private Key -> use custom private Key (SHA-256 one)"." but it is not working.

     

    It works only when I make the private key ( with SHA256 signature algorithm) the default ssl  and restart the gateway.



  • 6.  Re: Is it possible to use a private key which is not a default SSL key for the Outbound https/mutual auth connection from Gateway to the endpoint application and also for Digital Signature while implementing ws-security?

    Posted 12-17-2018 01:13 PM

    Good morning,

     

    Most assertions in the policy language allow for individual private key usage outside of setting the default SSL key. Below you see an example by right clicking on the Sign Element assertion to "Select Private Key".

     

     

    Sincerely,

     

    Stephen Hughes

    Broadcom Support