Layer 7 API Management

Expand all | Collapse all

Client Certificate To Backend Web App Validation

Jump to Best Answer
  • 1.  Client Certificate To Backend Web App Validation

    Posted 07-23-2019 03:59 AM
    Hi All
    We have a Ca Api Gateway 9.2 between mobile client and Web Application endpoint.
    Is it possible create with policy manager an assertions that only forward the client certificate (which identify mobile client) to Web Application endpoint for its validation?

    It's not necessary the mutual authentication between the mobile device and api gateway

    Thanks in advance

    Fabio


  • 2.  RE: Client Certificate To Backend Web App Validation
    Best Answer

    Posted 07-23-2019 09:39 AM
    If I understand the flow, you want client -- TLS Mutual Auth -> API GW -- Forward w/ cert only --> application  ?

    That should be pretty straight forward using the certificate context variables which exposes the certificate in like base64 for example - https://docops.ca.com/ca-api-gateway/9-2/en/reference/context-variables/credential-certificates-context-variables

    So long as you've already done the key validation on the GW / authenticated the user and trust the connection between the API GW and application endpoint then inject it as like an X-Client-Certificate request header. Toss in a "Manage Transport Properties/Headers" assertion, target the request and add "X-Client-Certificate=${request.ssl.clientCertificate.base64}"...or whatever other header you want.

    Main thing is making sure you really trust that connection between GW and back-end app server. If anyone gets around the GW they can just inject any public cert as that header and if the app allows that in...not good.


  • 3.  RE: Client Certificate To Backend Web App Validation

    Posted 07-23-2019 01:00 PM
    Forward both origin IP and original client cert:



  • 4.  RE: Client Certificate To Backend Web App Validation

    Posted 07-23-2019 07:21 PM
    If the backend web application doesn't care the mobile client, you don't have to forward client cert, just let web application trust the client cert of gateway default private key. (by default, the Route via HTTP(s) assertion uses gateway default private key to send client cert)



  • 5.  RE: Client Certificate To Backend Web App Validation

    Posted 07-23-2019 07:26 PM
    The reason to use client cert from gateway is that, the backend web application only need to trust one client cert, if you forward client cert of mobile client, the web application needs to trust each one of them, it's not really practical unless you only allow limited mobile client.


  • 6.  RE: Client Certificate To Backend Web App Validation

    Posted 07-29-2019 12:29 PM
    ​Thank to all for your answers!!
    We can consider the calls trusted between mobile client --> api gw --> end point web application (which in this scenario will validate the certificate)

    @Chris, yes right flow, now i implemented a rest api /ctpush that after some client check, catch the header and
    base encoded it's value.
    I have insert a simple string inside header with SOAP UI client (the request) and it works responding the string encoded as show in image


    Response



    The soap client UI "has clothes" of the mobile client in the flow.

    The web application endpoint api still missing but i would try to test if the certificate is correctly respond back

    Now i'm trying to add a header in soap ui with a certificate file (instead of a string) but seems is not possible.
    I'm searching how to pass an X509Certificate object in a valid header... I don't know how and hope make sense.


    @Philippe Brand: really appreciate your help
    @Zhijun He: Seems that the web application backend would validate the certificate coming from mobile clients.

    Fabio


  • 7.  RE: Client Certificate To Backend Web App Validation

    Posted 08-01-2019 05:27 AM
    Hi All
    Is it possible forward the client certificate only in order to consent the Mutual Authentication between Mobile Device and Web Application Backend?
    I'm aware that is a different scenario because there isn't a mutual auth between api gw and Mobile device, but in this forward scenario i don't have the variable

    ${request.ssl.clientCertificate}


    Is there another way to accomplish the client certificate forward to backend?
    A simple redirect could be a way but so the certificate will not pass to api gateway.

    Thanks