Layer7 API Management

Dear Community, 

I need support in accessing a field of a ssl certificate in the API-Gateway.

My current task is to log ssl certificate details to our logging infrastrure. The project is part of the PSD2 implementation which is a regulatory demand of the EU mainly for banks. So called third party providers send requests through our API-Gateway to banking services. They present a client certificate. Those certificates hold custom extensions with certain roles which we need to log. 

So far I encoded a base26-decoded certificate into a variable of type X.509 Certificate. I am able to access the issuer or subject by calling ${certificate.issuer} or ${certificate.subject}. Unfortunatly I cannot find the correct property in the documentation Certificate Attributes Context Variables https://docops.ca.com/ca-api-gateway/9-2/en/reference/context-variables/certificate-attributes-context-variables

I am only able to dump the complete certificate:

[
	[
	Version: V3
	...
	Certificate Extensions: 1
	[1]: ObjectId: 1.3.6.1.5.5.7.1.3 Criticality=false
	Extension unknown: DER encoded OCTET string =
	0000: 04 6E 30 6C 06 06 04 00 81 98 27 02 30 62 30 39 .n0l......'.0b09
	0010: 30 11 06 07 04 00 81 98 27 01 03 0C 06 50 53 50 0.......'....PSP
	0020: 5F 41 49 30 11 06 07 04 00 81 98 27 01 02 0C 06 _AI0.......'....
	0030: 50 53 50 5F 50 49 30 11 06 07 04 00 81 98 27 01 PSP_PI0.......'.
	0040: 04 0C 06 50 53 50 5F 49 43 0C 19 54 72 75 73 74 ...PSP_IC..Trust
	0050: 20 53 65 72 76 69 63 65 20 50 72 6F 76 69 64 65 Service Provide
	0060: 72 20 41 47 0C 0A 44 45 2D 46 41 4B 45 4E 43 41 r AG..DE-FAKENCA
	]
	Algorithm: [SHA256withRSA]
	Signature:
	...
	]

How can I access the highlighted section via a context variable in order to log those custom roles?

Kind regards
Niklas

Hi Niklas,

I guess this certificate you're trying to extract attributes from is related with the eIDAS regulation. If that's the case, upgrade your gateway to v9.2 CR2 and you will be able to extract the attributes you need using extension OIDs.
https://docops.ca.com/ca-api-gateway/9-4/en/policy-assertions/assertion-palette/access-control-assertions/extract-attributes-from-certificate-assertion-eidas-eu-regulation
Original Message:
Sent: 07-29-2019 10:31 AM
From: Niklas Konsik
Subject: Read custom attribute from Certificate

Dear Community, 

I need support in accessing a field of a ssl certificate in the API-Gateway.

My current task is to log ssl certificate details to our logging infrastrure. The project is part of the PSD2 implementation which is a regulatory demand of the EU mainly for banks. So called third party providers send requests through our API-Gateway to banking services. They present a client certificate. Those certificates hold custom extensions with certain roles which we need to log. 

So far I encoded a base26-decoded certificate into a variable of type X.509 Certificate. I am able to access the issuer or subject by calling ${certificate.issuer} or ${certificate.subject}. Unfortunatly I cannot find the correct property in the documentation Certificate Attributes Context Variables https://docops.ca.com/ca-api-gateway/9-2/en/reference/context-variables/certificate-attributes-context-variables

I am only able to dump the complete certificate:

[
	[
	Version: V3
	...
	Certificate Extensions: 1
	[1]: ObjectId: 1.3.6.1.5.5.7.1.3 Criticality=false
	Extension unknown: DER encoded OCTET string =
	0000: 04 6E 30 6C 06 06 04 00 81 98 27 02 30 62 30 39 .n0l......'.0b09
	0010: 30 11 06 07 04 00 81 98 27 01 03 0C 06 50 53 50 0.......'....PSP
	0020: 5F 41 49 30 11 06 07 04 00 81 98 27 01 02 0C 06 _AI0.......'....
	0030: 50 53 50 5F 50 49 30 11 06 07 04 00 81 98 27 01 PSP_PI0.......'.
	0040: 04 0C 06 50 53 50 5F 49 43 0C 19 54 72 75 73 74 ...PSP_IC..Trust
	0050: 20 53 65 72 76 69 63 65 20 50 72 6F 76 69 64 65 Service Provide
	0060: 72 20 41 47 0C 0A 44 45 2D 46 41 4B 45 4E 43 41 r AG..DE-FAKENCA
	]
	Algorithm: [SHA256withRSA]
	Signature:
	...
	]

How can I access the highlighted section via a context variable in order to log those custom roles?

Kind regards
Niklas Konsik

​Hello Burak,

thank you for your quick response. That piece of information is exactly what I was looking for. Unfortunately I cannot see the "the Source Variable check box", hence I cannot specifiy a source variable.

The Policy Manager Version is 9.400 build 8872 and the Gateway's version is 9.4.00.
See the screenshot I attached for more details.

Kind regards
Niklas
Original Message:
Sent: 07-30-2019 10:00 AM
From: Burak Sarigul
Subject: Read custom attribute from Certificate

Hi Niklas,

I guess this certificate you're trying to extract attributes from is related with the eIDAS regulation. If that's the case, upgrade your gateway to v9.2 CR2 and you will be able to extract the attributes you need using extension OIDs.
https://docops.ca.com/ca-api-gateway/9-4/en/policy-assertions/assertion-palette/access-control-assertions/extract-attributes-from-certificate-assertion-eidas-eu-regulation
Original Message:
Sent: 07-29-2019 10:31 AM
From: Niklas
Subject: Read custom attribute from Certificate

Dear Community, 

I need support in accessing a field of a ssl certificate in the API-Gateway.

My current task is to log ssl certificate details to our logging infrastrure. The project is part of the PSD2 implementation which is a regulatory demand of the EU mainly for banks. So called third party providers send requests through our API-Gateway to banking services. They present a client certificate. Those certificates hold custom extensions with certain roles which we need to log. 

So far I encoded a base26-decoded certificate into a variable of type X.509 Certificate. I am able to access the issuer or subject by calling ${certificate.issuer} or ${certificate.subject}. Unfortunatly I cannot find the correct property in the documentation Certificate Attributes Context Variables https://docops.ca.com/ca-api-gateway/9-2/en/reference/context-variables/certificate-attributes-context-variables

I am only able to dump the complete certificate:

[
	[
	Version: V3
	...
	Certificate Extensions: 1
	[1]: ObjectId: 1.3.6.1.5.5.7.1.3 Criticality=false
	Extension unknown: DER encoded OCTET string =
	0000: 04 6E 30 6C 06 06 04 00 81 98 27 02 30 62 30 39 .n0l......'.0b09
	0010: 30 11 06 07 04 00 81 98 27 01 03 0C 06 50 53 50 0.......'....PSP
	0020: 5F 41 49 30 11 06 07 04 00 81 98 27 01 02 0C 06 _AI0.......'....
	0030: 50 53 50 5F 50 49 30 11 06 07 04 00 81 98 27 01 PSP_PI0.......'.
	0040: 04 0C 06 50 53 50 5F 49 43 0C 19 54 72 75 73 74 ...PSP_IC..Trust
	0050: 20 53 65 72 76 69 63 65 20 50 72 6F 76 69 64 65 Service Provide
	0060: 72 20 41 47 0C 0A 44 45 2D 46 41 4B 45 4E 43 41 r AG..DE-FAKENCA
	]
	Algorithm: [SHA256withRSA]
	Signature:
	...
	]

How can I access the highlighted section via a context variable in order to log those custom roles?

Kind regards
Niklas

Hi Niklas,

You should upgrade your Gateway Cluster to v9.4 CR02 patch. After the upgrade, you will be able to see the change in the "Certificate Attributes Properties" window.


Original Message:
Sent: 07-31-2019 03:59 AM
From: Niklas Konsik
Subject: Read custom attribute from Certificate

​Hello Burak,

thank you for your quick response. That piece of information is exactly what I was looking for. Unfortunately I cannot see the "the Source Variable check box", hence I cannot specifiy a source variable.

The Policy Manager Version is 9.400 build 8872 and the Gateway's version is 9.4.00.
See the screenshot I attached for more details.

Kind regards
Niklas Konsik
Original Message:
Sent: 07-30-2019 10:00 AM
From: Burak Sarigul
Subject: Read custom attribute from Certificate

Hi Niklas,

I guess this certificate you're trying to extract attributes from is related with the eIDAS regulation. If that's the case, upgrade your gateway to v9.2 CR2 and you will be able to extract the attributes you need using extension OIDs.
https://docops.ca.com/ca-api-gateway/9-4/en/policy-assertions/assertion-palette/access-control-assertions/extract-attributes-from-certificate-assertion-eidas-eu-regulation
Original Message:
Sent: 07-29-2019 10:31 AM
From: Niklas Konsik
Subject: Read custom attribute from Certificate

Dear Community, 

I need support in accessing a field of a ssl certificate in the API-Gateway.

My current task is to log ssl certificate details to our logging infrastrure. The project is part of the PSD2 implementation which is a regulatory demand of the EU mainly for banks. So called third party providers send requests through our API-Gateway to banking services. They present a client certificate. Those certificates hold custom extensions with certain roles which we need to log. 

So far I encoded a base26-decoded certificate into a variable of type X.509 Certificate. I am able to access the issuer or subject by calling ${certificate.issuer} or ${certificate.subject}. Unfortunatly I cannot find the correct property in the documentation Certificate Attributes Context Variables https://docops.ca.com/ca-api-gateway/9-2/en/reference/context-variables/certificate-attributes-context-variables

I am only able to dump the complete certificate:

[
	[
	Version: V3
	...
	Certificate Extensions: 1
	[1]: ObjectId: 1.3.6.1.5.5.7.1.3 Criticality=false
	Extension unknown: DER encoded OCTET string =
	0000: 04 6E 30 6C 06 06 04 00 81 98 27 02 30 62 30 39 .n0l......'.0b09
	0010: 30 11 06 07 04 00 81 98 27 01 03 0C 06 50 53 50 0.......'....PSP
	0020: 5F 41 49 30 11 06 07 04 00 81 98 27 01 02 0C 06 _AI0.......'....
	0030: 50 53 50 5F 50 49 30 11 06 07 04 00 81 98 27 01 PSP_PI0.......'.
	0040: 04 0C 06 50 53 50 5F 49 43 0C 19 54 72 75 73 74 ...PSP_IC..Trust
	0050: 20 53 65 72 76 69 63 65 20 50 72 6F 76 69 64 65 Service Provide
	0060: 72 20 41 47 0C 0A 44 45 2D 46 41 4B 45 4E 43 41 r AG..DE-FAKENCA
	]
	Algorithm: [SHA256withRSA]
	Signature:
	...
	]

How can I access the highlighted section via a context variable in order to log those custom roles?

Kind regards
Niklas Konsik

Thank you Burak,

our Gateway runs inside a docker Container. Could you advise the appropriate tag?
https://hub.docker.com/r/caapim/gateway/tags​

Thank you
Niklas
Original Message:
Sent: 08-05-2019 10:30 AM
From: Burak Sarigul
Subject: Read custom attribute from Certificate

Hi Niklas,

You should upgrade your Gateway Cluster to v9.4 CR02 patch. After the upgrade, you will be able to see the change in the "Certificate Attributes Properties" window.

Have a Nice Day,
Burak.

Original Message:
Sent: 07-31-2019 03:59 AM
From: Niklas
Subject: Read custom attribute from Certificate

​Hello Burak,

thank you for your quick response. That piece of information is exactly what I was looking for. Unfortunately I cannot see the "the Source Variable check box", hence I cannot specifiy a source variable.

The Policy Manager Version is 9.400 build 8872 and the Gateway's version is 9.4.00.
See the screenshot I attached for more details.

Kind regards
Niklas 
Original Message:
Sent: 07-30-2019 10:00 AM
From: Burak Sarigul
Subject: Read custom attribute from Certificate

Hi Niklas,

I guess this certificate you're trying to extract attributes from is related with the eIDAS regulation. If that's the case, upgrade your gateway to v9.2 CR2 and you will be able to extract the attributes you need using extension OIDs.
https://docops.ca.com/ca-api-gateway/9-4/en/policy-assertions/assertion-palette/access-control-assertions/extract-attributes-from-certificate-assertion-eidas-eu-regulation
Original Message:
Sent: 07-29-2019 10:31 AM
From: Niklas
Subject: Read custom attribute from Certificate

Dear Community, 

I need support in accessing a field of a ssl certificate in the API-Gateway.

My current task is to log ssl certificate details to our logging infrastrure. The project is part of the PSD2 implementation which is a regulatory demand of the EU mainly for banks. So called third party providers send requests through our API-Gateway to banking services. They present a client certificate. Those certificates hold custom extensions with certain roles which we need to log. 

So far I encoded a base26-decoded certificate into a variable of type X.509 Certificate. I am able to access the issuer or subject by calling ${certificate.issuer} or ${certificate.subject}. Unfortunatly I cannot find the correct property in the documentation Certificate Attributes Context Variables https://docops.ca.com/ca-api-gateway/9-2/en/reference/context-variables/certificate-attributes-context-variables

I am only able to dump the complete certificate:

[
	[
	Version: V3
	...
	Certificate Extensions: 1
	[1]: ObjectId: 1.3.6.1.5.5.7.1.3 Criticality=false
	Extension unknown: DER encoded OCTET string =
	0000: 04 6E 30 6C 06 06 04 00 81 98 27 02 30 62 30 39 .n0l......'.0b09
	0010: 30 11 06 07 04 00 81 98 27 01 03 0C 06 50 53 50 0.......'....PSP
	0020: 5F 41 49 30 11 06 07 04 00 81 98 27 01 02 0C 06 _AI0.......'....
	0030: 50 53 50 5F 50 49 30 11 06 07 04 00 81 98 27 01 PSP_PI0.......'.
	0040: 04 0C 06 50 53 50 5F 49 43 0C 19 54 72 75 73 74 ...PSP_IC..Trust
	0050: 20 53 65 72 76 69 63 65 20 50 72 6F 76 69 64 65 Service Provide
	0060: 72 20 41 47 0C 0A 44 45 2D 46 41 4B 45 4E 43 41 r AG..DE-FAKENCA
	]
	Algorithm: [SHA256withRSA]
	Signature:
	...
	]

How can I access the highlighted section via a context variable in order to log those custom roles?

Kind regards
Niklas

We use the latest from Docker Hub and the result is this 


------------------------------
Sen. Director Services API Management
APIIDA AG
------------------------------

Original Message:
Sent: 08-06-2019 05:19 AM
From: Niklas Konsik
Subject: Read custom attribute from Certificate

Thank you Burak,

our Gateway runs inside a docker Container. Could you advise the appropriate tag?
https://hub.docker.com/r/caapim/gateway/tags​

Thank you
Niklas Konsik
Original Message:
Sent: 08-05-2019 10:30 AM
From: Burak Sarigul
Subject: Read custom attribute from Certificate

Hi Niklas,

You should upgrade your Gateway Cluster to v9.4 CR02 patch. After the upgrade, you will be able to see the change in the "Certificate Attributes Properties" window.

Have a Nice Day,
Burak.

Original Message:
Sent: 07-31-2019 03:59 AM
From: Niklas Konsik
Subject: Read custom attribute from Certificate

​Hello Burak,

thank you for your quick response. That piece of information is exactly what I was looking for. Unfortunately I cannot see the "the Source Variable check box", hence I cannot specifiy a source variable.

The Policy Manager Version is 9.400 build 8872 and the Gateway's version is 9.4.00.
See the screenshot I attached for more details.

Kind regards
Niklas Konsik
Original Message:
Sent: 07-30-2019 10:00 AM
From: Burak Sarigul
Subject: Read custom attribute from Certificate

Hi Niklas,

I guess this certificate you're trying to extract attributes from is related with the eIDAS regulation. If that's the case, upgrade your gateway to v9.2 CR2 and you will be able to extract the attributes you need using extension OIDs.
https://docops.ca.com/ca-api-gateway/9-4/en/policy-assertions/assertion-palette/access-control-assertions/extract-attributes-from-certificate-assertion-eidas-eu-regulation
Original Message:
Sent: 07-29-2019 10:31 AM
From: Niklas Konsik
Subject: Read custom attribute from Certificate

Dear Community, 

I need support in accessing a field of a ssl certificate in the API-Gateway.

My current task is to log ssl certificate details to our logging infrastrure. The project is part of the PSD2 implementation which is a regulatory demand of the EU mainly for banks. So called third party providers send requests through our API-Gateway to banking services. They present a client certificate. Those certificates hold custom extensions with certain roles which we need to log. 

So far I encoded a base26-decoded certificate into a variable of type X.509 Certificate. I am able to access the issuer or subject by calling ${certificate.issuer} or ${certificate.subject}. Unfortunatly I cannot find the correct property in the documentation Certificate Attributes Context Variables https://docops.ca.com/ca-api-gateway/9-2/en/reference/context-variables/certificate-attributes-context-variables

I am only able to dump the complete certificate:

[
	[
	Version: V3
	...
	Certificate Extensions: 1
	[1]: ObjectId: 1.3.6.1.5.5.7.1.3 Criticality=false
	Extension unknown: DER encoded OCTET string =
	0000: 04 6E 30 6C 06 06 04 00 81 98 27 02 30 62 30 39 .n0l......'.0b09
	0010: 30 11 06 07 04 00 81 98 27 01 03 0C 06 50 53 50 0.......'....PSP
	0020: 5F 41 49 30 11 06 07 04 00 81 98 27 01 02 0C 06 _AI0.......'....
	0030: 50 53 50 5F 50 49 30 11 06 07 04 00 81 98 27 01 PSP_PI0.......'.
	0040: 04 0C 06 50 53 50 5F 49 43 0C 19 54 72 75 73 74 ...PSP_IC..Trust
	0050: 20 53 65 72 76 69 63 65 20 50 72 6F 76 69 64 65 Service Provide
	0060: 72 20 41 47 0C 0A 44 45 2D 46 41 4B 45 4E 43 41 r AG..DE-FAKENCA
	]
	Algorithm: [SHA256withRSA]
	Signature:
	...
	]

How can I access the highlighted section via a context variable in order to log those custom roles?

Kind regards
Niklas Konsik

Works for use with the latest from dockerhub


------------------------------
Sen. Director Services API Management
APIIDA AG
------------------------------

Original Message:
Sent: 08-06-2019 05:19 AM
From: Niklas Konsik
Subject: Read custom attribute from Certificate

Thank you Burak,

our Gateway runs inside a docker Container. Could you advise the appropriate tag?
https://hub.docker.com/r/caapim/gateway/tags​

Thank you
Niklas Konsik
Original Message:
Sent: 08-05-2019 10:30 AM
From: Burak Sarigul
Subject: Read custom attribute from Certificate

Hi Niklas,

You should upgrade your Gateway Cluster to v9.4 CR02 patch. After the upgrade, you will be able to see the change in the "Certificate Attributes Properties" window.

Have a Nice Day,
Burak.

Original Message:
Sent: 07-31-2019 03:59 AM
From: Niklas Konsik
Subject: Read custom attribute from Certificate

​Hello Burak,

thank you for your quick response. That piece of information is exactly what I was looking for. Unfortunately I cannot see the "the Source Variable check box", hence I cannot specifiy a source variable.

The Policy Manager Version is 9.400 build 8872 and the Gateway's version is 9.4.00.
See the screenshot I attached for more details.

Kind regards
Niklas Konsik
Original Message:
Sent: 07-30-2019 10:00 AM
From: Burak Sarigul
Subject: Read custom attribute from Certificate

Hi Niklas,

I guess this certificate you're trying to extract attributes from is related with the eIDAS regulation. If that's the case, upgrade your gateway to v9.2 CR2 and you will be able to extract the attributes you need using extension OIDs.
https://docops.ca.com/ca-api-gateway/9-4/en/policy-assertions/assertion-palette/access-control-assertions/extract-attributes-from-certificate-assertion-eidas-eu-regulation
Original Message:
Sent: 07-29-2019 10:31 AM
From: Niklas Konsik
Subject: Read custom attribute from Certificate

Dear Community, 

I need support in accessing a field of a ssl certificate in the API-Gateway.

My current task is to log ssl certificate details to our logging infrastrure. The project is part of the PSD2 implementation which is a regulatory demand of the EU mainly for banks. So called third party providers send requests through our API-Gateway to banking services. They present a client certificate. Those certificates hold custom extensions with certain roles which we need to log. 

So far I encoded a base26-decoded certificate into a variable of type X.509 Certificate. I am able to access the issuer or subject by calling ${certificate.issuer} or ${certificate.subject}. Unfortunatly I cannot find the correct property in the documentation Certificate Attributes Context Variables https://docops.ca.com/ca-api-gateway/9-2/en/reference/context-variables/certificate-attributes-context-variables

I am only able to dump the complete certificate:

[
	[
	Version: V3
	...
	Certificate Extensions: 1
	[1]: ObjectId: 1.3.6.1.5.5.7.1.3 Criticality=false
	Extension unknown: DER encoded OCTET string =
	0000: 04 6E 30 6C 06 06 04 00 81 98 27 02 30 62 30 39 .n0l......'.0b09
	0010: 30 11 06 07 04 00 81 98 27 01 03 0C 06 50 53 50 0.......'....PSP
	0020: 5F 41 49 30 11 06 07 04 00 81 98 27 01 02 0C 06 _AI0.......'....
	0030: 50 53 50 5F 50 49 30 11 06 07 04 00 81 98 27 01 PSP_PI0.......'.
	0040: 04 0C 06 50 53 50 5F 49 43 0C 19 54 72 75 73 74 ...PSP_IC..Trust
	0050: 20 53 65 72 76 69 63 65 20 50 72 6F 76 69 64 65 Service Provide
	0060: 72 20 41 47 0C 0A 44 45 2D 46 41 4B 45 4E 43 41 r AG..DE-FAKENCA
	]
	Algorithm: [SHA256withRSA]
	Signature:
	...
	]

How can I access the highlighted section via a context variable in order to log those custom roles?

Kind regards
Niklas Konsik