Hi !

I am new to CA API Gateway. I am trying to create a proxy for WebService which needs client certificate. I have configured the service on gateway and trying to make call to that proxy from SOAPUI where i have configured SSL certificate. I am getting below error  <l7:policyResult  status="Service Not Found.  The request may have been sent to an invalid URL, or intended for an unsupported operation." xmlns:l7="http ://www.layer7tech.com/ws/policy/fault"/>

Please advise what needs to happen to configure a WebService which needs a SSL certificate client to execute. Thank You.

On Gateway:

I have only two assertions :

1. Set as Portal Managed Service
2. Route Via HTTPS to <WebService endpoint https:/xxxxx>
   1. Configured Proxy  on Routing Properties.

On Soap UI:

I have configured SSL Settings--> Key  Store and KeyStore Password

Complete Response I am getting :

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">

   <soapenv:Body>

      <soapenv:Fault>

         <faultcode>soapenv:Server</faultcode>

         <faultstring>Policy Falsified</faultstring>

         <faultactor>http://***.***.local:xx/xxxx</faultactor>

         <detail>

            <l7:policyResult status="Error in Assertion Processing" xmlns:l7="http://www.layer7tech.com/ws/policy/fault"/>

         </detail>

      </soapenv:Fault>

   </soapenv:Body>

</soapenv:Envelope>

Hi,

Have you "stored" the ssl certificate in the gateway ? I'm talking about the second assertion, you're routing to an https url .. the gateway need to be able to verify  the certificate; in the policy manager select Tasks -> Manage Certificates

Hi,

Yes I stored SSL certificate (client certificate) on gateway in Manage Certificate. I was following video I found on this community.

https://communities.ca.com/docs/DOC-231159303

I could not do one step which was mentioned in the video was to add cluster-wide properties for "useDefaultTrustAnchers". I do not see this variable in my Gateway (CA API Gateway 9.0.00 build 5276). Please advise what are the other steps I need to do? Please guide me to reference resource I should read to configure outbound SSL in Gateway.

Please try:

A majority of certificates issued to publicly facing web sites and services have certificates that are issued by well-known public certificate authorities. This list includes but is not limited to: Symantec, Comodo, GoDaddy, and Global Sign. Most contemporary web browsers trust a selection of public certificate authorities as well as the intermediary certificate authorities that they have acquired. The CA API Gateway does not implicitly trust these certificates without administrative intervention. This article will prescribe the steps necessary to institute this trust. Please note that this capability is non-functional and not available until version 7.0.0 of the CA API Gateway.

Implementation

1. Log in to the CA API Policy Manager as an administrative user.
2. Select Manage Cluster-Wide Properties from the Tasks menu.
3. Add a new property
4. Specify the property key as pkix.useDefaultTrustAnchors
5. Set the property value as true
6. Save the changes and exit.

Subsequent requests to systems, servers, or services using certificates signed by the broad spectrum of public CAs will now be trusted. Please note that this trust relationship can be exploited by malicious users leveraging leaked CA signing keys. While the possibility of this being exploited is low--it is discussed in-depth in an online discussion found here. Use caution when enabling this capability in a trusted zone.

I was able to make it work with steps mentioned above. Missing part was to set Custom PrivateKey on SSL routing. Thanks.