Layer7 API Management

Dear Team.

today we tried the first time to import a key into a target gateway using graphman

The procedure was looking like:

1. graphman.sh export --using keyByAlias --variables.alias "key-alias" --out key.json
2. graphman.sh explode --explodeKeys ...
3. graphman.sh implode ...
4. graphman.sh import --input key.json

We got the following response:

...
    "setKeys": {      "keys": [        null      ],      "detailedStatus": [        {          "status": "ERROR",          "description": "Error creating or updating SSG_KEY_ENTRY entity, Failed to build a key from the input (p12)"        }      ]    }...

and the following messages in the ssg logs:

2024-04-18T09:44:02.804+0100 INFO    1797 com.l7tech.external.assertions.gatewaygraphql.server.resolver.mutation.BasicGraphQLMutationResolver: Error creating or updating SSG_KEY_ENTRY entity, Failed to build a key from the input (p12)
2024-04-18T09:44:02.805+0100 WARNING 1797 com.l7tech.external.assertions.gatewaygraphql.server.ServerGatewayGraphQLAssertion: Rolling back the operation-level transaction

Any idea what we might do wrong ?

source gateway : V11.0 

target gateway : V11.0 CR02

graphman-client V1.1.0

schema for export : V10.1-CR03

Thanks for hints and help.

Regards

...Michael

I think the problem are the explode/implode steps using the --explodeKeys option.

Obviously the generated p12 file is not correctly decoded.

As well as the implode does not correctly encode the p12 file.

Regards

...Michael

Dear Team.

today we tried the first time to import a key into a target gateway using graphman

The procedure was looking like:

1. graphman.sh export --using keyByAlias --variables.alias "key-alias" --out key.json
2. graphman.sh explode --explodeKeys ...
3. graphman.sh implode ...
4. graphman.sh import --input key.json

We got the following response:

...
    "setKeys": {      "keys": [        null      ],      "detailedStatus": [        {          "status": "ERROR",          "description": "Error creating or updating SSG_KEY_ENTRY entity, Failed to build a key from the input (p12)"        }      ]    }...

and the following messages in the ssg logs:

2024-04-18T09:44:02.804+0100 INFO    1797 com.l7tech.external.assertions.gatewaygraphql.server.resolver.mutation.BasicGraphQLMutationResolver: Error creating or updating SSG_KEY_ENTRY entity, Failed to build a key from the input (p12)
2024-04-18T09:44:02.805+0100 WARNING 1797 com.l7tech.external.assertions.gatewaygraphql.server.ServerGatewayGraphQLAssertion: Rolling back the operation-level transaction

Any idea what we might do wrong ?

source gateway : V11.0 

target gateway : V11.0 CR02

graphman-client V1.1.0

schema for export : V10.1-CR03

Thanks for hints and help.

Regards

...Michael

Support case 33714916 created

I think the problem are the explode/implode steps using the --explodeKeys option.

Obviously the generated p12 file is not correctly decoded.

As well as the implode does not correctly encode the p12 file.

Regards

...Michael

Dear Team.

today we tried the first time to import a key into a target gateway using graphman

The procedure was looking like:

1. graphman.sh export --using keyByAlias --variables.alias "key-alias" --out key.json
2. graphman.sh explode --explodeKeys ...
3. graphman.sh implode ...
4. graphman.sh import --input key.json

We got the following response:

...
    "setKeys": {      "keys": [        null      ],      "detailedStatus": [        {          "status": "ERROR",          "description": "Error creating or updating SSG_KEY_ENTRY entity, Failed to build a key from the input (p12)"        }      ]    }...

and the following messages in the ssg logs:

2024-04-18T09:44:02.804+0100 INFO    1797 com.l7tech.external.assertions.gatewaygraphql.server.resolver.mutation.BasicGraphQLMutationResolver: Error creating or updating SSG_KEY_ENTRY entity, Failed to build a key from the input (p12)
2024-04-18T09:44:02.805+0100 WARNING 1797 com.l7tech.external.assertions.gatewaygraphql.server.ServerGatewayGraphQLAssertion: Rolling back the operation-level transaction

Any idea what we might do wrong ?

source gateway : V11.0 

target gateway : V11.0 CR02

graphman-client V1.1.0

schema for export : V10.1-CR03

Thanks for hints and help.

Regards

...Michael

@Michael Mueller,

That's correct, it might went wrong while exploding/imploding keys and their cert-chains to/from files. We've pushed few fixes to the release/v1.1.00 release branch.

Could you please verify with it once?

Thanks, Raju

Support case 33714916 created

I think the problem are the explode/implode steps using the --explodeKeys option.

Obviously the generated p12 file is not correctly decoded.

As well as the implode does not correctly encode the p12 file.

Regards

...Michael

Dear Team.

today we tried the first time to import a key into a target gateway using graphman

The procedure was looking like:

1. graphman.sh export --using keyByAlias --variables.alias "key-alias" --out key.json
2. graphman.sh explode --explodeKeys ...
3. graphman.sh implode ...
4. graphman.sh import --input key.json

We got the following response:

...
    "setKeys": {      "keys": [        null      ],      "detailedStatus": [        {          "status": "ERROR",          "description": "Error creating or updating SSG_KEY_ENTRY entity, Failed to build a key from the input (p12)"        }      ]    }...

and the following messages in the ssg logs:

2024-04-18T09:44:02.804+0100 INFO    1797 com.l7tech.external.assertions.gatewaygraphql.server.resolver.mutation.BasicGraphQLMutationResolver: Error creating or updating SSG_KEY_ENTRY entity, Failed to build a key from the input (p12)
2024-04-18T09:44:02.805+0100 WARNING 1797 com.l7tech.external.assertions.gatewaygraphql.server.ServerGatewayGraphQLAssertion: Rolling back the operation-level transaction

Any idea what we might do wrong ?

source gateway : V11.0 

target gateway : V11.0 CR02

graphman-client V1.1.0

schema for export : V10.1-CR03

Thanks for hints and help.

Regards

...Michael

Hi Raju .

You are right. I need to refine my concern / observation

I confirm, that with the current available versions (v1.1.00 and main branch) I can export, explode and implode and finally import a key from a source to a target gateway.

My original observation was related to a non matching  json bundle before the explode and after the implode due to some customer specific customization to the graphman-client code.

Anyway, I still see an issue with the ootb versions.
The exploded version of the p12 keystore file when exploding with the "--explodeKeys" option is not readable by openssl

Hence , I wouldn't be able to provide new keystores created out of the gateways from a different source.

To prove my observation, export a key and explode it with --explodeKeys .

Then try to read the p12 file with

openssl pkcs12 -in <the p12 file> -nodes -passin pass:<your passphrase when exporting>

Please confirm my expectation, that this should work . (At least it works, if I create the p12 file from the key.json base64 encoded keys[0].p12 property, decoding it and writing it to a file by unix tools )

Regards

...Michael

@Michael Mueller,

That's correct, it might went wrong while exploding/imploding keys and their cert-chains to/from files. We've pushed few fixes to the release/v1.1.00 release branch.

Could you please verify with it once?

Thanks, Raju

Support case 33714916 created

I think the problem are the explode/implode steps using the --explodeKeys option.

Obviously the generated p12 file is not correctly decoded.

As well as the implode does not correctly encode the p12 file.

Regards

...Michael

Dear Team.

today we tried the first time to import a key into a target gateway using graphman

The procedure was looking like:

1. graphman.sh export --using keyByAlias --variables.alias "key-alias" --out key.json
2. graphman.sh explode --explodeKeys ...
3. graphman.sh implode ...
4. graphman.sh import --input key.json

We got the following response:

...
    "setKeys": {      "keys": [        null      ],      "detailedStatus": [        {          "status": "ERROR",          "description": "Error creating or updating SSG_KEY_ENTRY entity, Failed to build a key from the input (p12)"        }      ]    }...

and the following messages in the ssg logs:

2024-04-18T09:44:02.804+0100 INFO    1797 com.l7tech.external.assertions.gatewaygraphql.server.resolver.mutation.BasicGraphQLMutationResolver: Error creating or updating SSG_KEY_ENTRY entity, Failed to build a key from the input (p12)
2024-04-18T09:44:02.805+0100 WARNING 1797 com.l7tech.external.assertions.gatewaygraphql.server.ServerGatewayGraphQLAssertion: Rolling back the operation-level transaction

Any idea what we might do wrong ?

source gateway : V11.0 

target gateway : V11.0 CR02

graphman-client V1.1.0

schema for export : V10.1-CR03

Thanks for hints and help.

Regards

...Michael

You are correct. OpenSSL fails to read the exploded key. There's a known limitation from javascript btoa/atoa functions. We need to find alternative to them to fix this gap.

Otherwise, export-explode-implode-import works with in graphman-client. 

Hi Raju .

You are right. I need to refine my concern / observation

I confirm, that with the current available versions (v1.1.00 and main branch) I can export, explode and implode and finally import a key from a source to a target gateway.

My original observation was related to a non matching  json bundle before the explode and after the implode due to some customer specific customization to the graphman-client code.

Anyway, I still see an issue with the ootb versions.
The exploded version of the p12 keystore file when exploding with the "--explodeKeys" option is not readable by openssl

Hence , I wouldn't be able to provide new keystores created out of the gateways from a different source.

To prove my observation, export a key and explode it with --explodeKeys .

Then try to read the p12 file with

openssl pkcs12 -in <the p12 file> -nodes -passin pass:<your passphrase when exporting>

Please confirm my expectation, that this should work . (At least it works, if I create the p12 file from the key.json base64 encoded keys[0].p12 property, decoding it and writing it to a file by unix tools )

Regards

...Michael

@Michael Mueller,

That's correct, it might went wrong while exploding/imploding keys and their cert-chains to/from files. We've pushed few fixes to the release/v1.1.00 release branch.

Could you please verify with it once?

Thanks, Raju

Support case 33714916 created

I think the problem are the explode/implode steps using the --explodeKeys option.

Obviously the generated p12 file is not correctly decoded.

As well as the implode does not correctly encode the p12 file.

Regards

...Michael

Dear Team.

today we tried the first time to import a key into a target gateway using graphman

The procedure was looking like:

1. graphman.sh export --using keyByAlias --variables.alias "key-alias" --out key.json
2. graphman.sh explode --explodeKeys ...
3. graphman.sh implode ...
4. graphman.sh import --input key.json

We got the following response:

...
    "setKeys": {      "keys": [        null      ],      "detailedStatus": [        {          "status": "ERROR",          "description": "Error creating or updating SSG_KEY_ENTRY entity, Failed to build a key from the input (p12)"        }      ]    }...

and the following messages in the ssg logs:

2024-04-18T09:44:02.804+0100 INFO    1797 com.l7tech.external.assertions.gatewaygraphql.server.resolver.mutation.BasicGraphQLMutationResolver: Error creating or updating SSG_KEY_ENTRY entity, Failed to build a key from the input (p12)
2024-04-18T09:44:02.805+0100 WARNING 1797 com.l7tech.external.assertions.gatewaygraphql.server.ServerGatewayGraphQLAssertion: Rolling back the operation-level transaction

Any idea what we might do wrong ?

source gateway : V11.0 

target gateway : V11.0 CR02

graphman-client V1.1.0

schema for export : V10.1-CR03

Thanks for hints and help.

Regards

...Michael