Is it possible to run OS commands in api gateway policy, assertion, or fragment?
I don't think it's supported.
And I don't think the gateway will intend to support it - as per my understanding, supporting OS command will lead to command injection vulnerability. Keep in mind that the gateway is a security product.
There is a tactical assertion called SSHCommand. Please raise a support case with CA support to get this assertion. As Mark said, this is a high risk vulnerability. The gateway will have no control on what commands are run.
Thanks for the reply.