Layer7 API Management

  • Private Community
 View Only

  • 1.  Is CA Gateway able to parser a PKCS#10 request?

    Posted Nov 09, 2015 06:29 AM

    Hi,

     

    I'm working on a project and we want to know it if could be possible to Layer 7 Gateway to parser a PKCS#10 CSR. Does exist any possibility? I've been researching on manuals but I was not able to find something yet.

     

    I had a glance at the "Creating CA API Gateway Custom Assertions" file and I read this:

     

    "Custom Assertions are modules that are added to a CA API Gateway to add functionality to be executed in a service policy. They typically implement proprietary business logic, as opposed to standard-compliant mechanisms supported by CA Technologies.

    This document describes how to create and install Custom Assertions on a CA API Gateway."

     

    Do you think it is possible to create a custom assertion which when gets a PKCS#10 request, extracts information from it and creates a SOAP message?

     

    Kind regards,

    Andrés-J. Cremades

     

    Message was edited by: Andres J. Cremades Cremades Monserrat NEW INFORMATION ADDED



  • 2.  Re: Is CA Gateway able to parser a PKCS#10 request?

    Broadcom Employee
    Posted Nov 09, 2015 10:37 AM

    Hi Andrés:

       Since this is the APM community, how does APM play into thia?

     

    Thanks

    Ha German



  • 3.  Re: Is CA Gateway able to parser a PKCS#10 request?

    Posted Nov 09, 2015 10:40 AM

    Oh, s**t, wrong place. Sorry!



  • 4.  Re: Is CA Gateway able to parser a PKCS#10 request?

    Posted Nov 10, 2015 02:56 PM

    Yes, you should be able to build a custom assertion to do this using the Bouncy Castle crypto APIs: bouncycastle.org  .  The Gateway itself uses Bouncy Castle (~/Gateway/runtime/lib/bcprov-jdk16-1.46.jar in 8.x).

     

    See also:

    Extracting X509 Extensions from a CSR using the Bouncy Castle APIs » unitstep.net



  • 5.  Re: Is CA Gateway able to parser a PKCS#10 request?

    Posted Nov 11, 2015 04:12 AM

    Thanks MattVan, I will check it out. By the way, I post another option/answer I received from another CA specialist as well:

     

    [...]

     

    Yes we have an assertion within the Mag implementation that does this.  We use it for generating private keys for mobile devices within ios, android and cordova.  The idea behind it is to:

     

    1. Register the device – that step is to send the mag (gateway) the certificate from the msso_config file within our client side sdk to the gateway. 
    2. The gateway authenticates the client cert
    3. The gateway then issues a private key and signs it. Then sends the pk back to the client sdk.  
    4. The next step is for us to gain access to an id_token with an access token
    5. Each time we make the call we’ll be sending the id_token to the gateway which has the exposed API.

     

    This can all be done in your solution yes. [...]

     

    Kind regards,

    Andrés-J. Cremades