Layer 7 API Management

Expand all | Collapse all

Read custom attribute from Certificate

Jump to Best Answer
  • 1.  Read custom attribute from Certificate

    Posted 24 days ago
    Edited by Niklas Konsik 23 days ago
    Dear Community, 

    I need support in accessing a field of a ssl certificate in the API-Gateway.

    My current task is to log ssl certificate details to our logging infrastrure. The project is part of the PSD2 implementation which is a regulatory demand of the EU mainly for banks. So called third party providers send requests through our API-Gateway to banking services. They present a client certificate. Those certificates hold custom extensions with certain roles which we need to log. 

    So far I encoded a base26-decoded certificate into a variable of type X.509 Certificate. I am able to access the issuer or subject by calling ${certificate.issuer} or ${certificate.subject}. Unfortunatly I cannot find the correct property in the documentation Certificate Attributes Context Variables https://docops.ca.com/ca-api-gateway/9-2/en/reference/context-variables/certificate-attributes-context-variables

    I am only able to dump the complete certificate:
    [
    [
    Version: V3
    ...
    Certificate Extensions: 1
    [1]: ObjectId: 1.3.6.1.5.5.7.1.3 Criticality=false
    Extension unknown: DER encoded OCTET string =
    0000: 04 6E 30 6C 06 06 04 00 81 98 27 02 30 62 30 39 .n0l......'.0b09
    0010: 30 11 06 07 04 00 81 98 27 01 03 0C 06 50 53 50 0.......'....PSP
    0020: 5F 41 49 30 11 06 07 04 00 81 98 27 01 02 0C 06 _AI0.......'....
    0030: 50 53 50 5F 50 49 30 11 06 07 04 00 81 98 27 01 PSP_PI0.......'.
    0040: 04 0C 06 50 53 50 5F 49 43 0C 19 54 72 75 73 74 ...PSP_IC..Trust
    0050: 20 53 65 72 76 69 63 65 20 50 72 6F 76 69 64 65 Service Provide
    0060: 72 20 41 47 0C 0A 44 45 2D 46 41 4B 45 4E 43 41 r AG..DE-FAKENCA
    ]
    Algorithm: [SHA256withRSA]
    Signature:
    ...
    ]

    How can I access the highlighted section via a context variable in order to log those custom roles?

    Kind regards
    Niklas Konsik


  • 2.  RE: Read custom attribute from Certificate

    Posted 23 days ago
    Hi Niklas,

    I guess this certificate you're trying to extract attributes from is related with the eIDAS regulation. If that's the case, upgrade your gateway to v9.2 CR2 and you will be able to extract the attributes you need using extension OIDs.
    https://docops.ca.com/ca-api-gateway/9-4/en/policy-assertions/assertion-palette/access-control-assertions/extract-attributes-from-certificate-assertion-eidas-eu-regulation


  • 3.  RE: Read custom attribute from Certificate

    Posted 22 days ago
      |   view attached
    ​Hello Burak,

    thank you for your quick response. That piece of information is exactly what I was looking for. Unfortunately I cannot see the "the Source Variable check box", hence I cannot specifiy a source variable.

    The Policy Manager Version is 9.400 build 8872 and the Gateway's version is 9.4.00.
    See the screenshot I attached for more details.

    Kind regards
    Niklas Konsik


  • 4.  RE: Read custom attribute from Certificate

    Posted 17 days ago
    Hi Niklas,

    You should upgrade your Gateway Cluster to v9.4 CR02 patch. After the upgrade, you will be able to see the change in the "Certificate Attributes Properties" window.


    Have a Nice Day,
    Burak.



  • 5.  RE: Read custom attribute from Certificate

    Posted 16 days ago
    Thank you Burak,

    our Gateway runs inside a docker Container. Could you advise the appropriate tag?
    https://hub.docker.com/r/caapim/gateway/tags​

    Thank you
    Niklas Konsik


  • 6.  RE: Read custom attribute from Certificate
    Best Answer

    Posted 15 days ago
    We use the latest from Docker Hub and the result is this 

    Means should work.

    Regards
    Steffen


    ------------------------------
    Sen. Director Services API Management
    APIIDA AG
    ------------------------------



  • 7.  RE: Read custom attribute from Certificate

    Posted 15 days ago
    Works for use with the latest from dockerhub


    ------------------------------
    Sen. Director Services API Management
    APIIDA AG
    ------------------------------