Layer7 API Management

  • Private Community
 View Only

  • 1.  Error validating idtoken after mag ssl certificate update

    Posted Mar 06, 2020 01:51 PM
      |   view attached
    We updated the MAG ssl certificate, and after that, the apps are getting an error. New installations work fine but old installations do not.
    The error is on the User.Login, as we investigate the error is in the validation of the id_token returned by the mobile api gateway.

    It looks like the SDK is trying to validate the id_token jwt using the old certificate. (Looks like it caches it somehow)

    We made some policy changes to the gateway to force the id_token jwt to be generated with a new kid. So that he didn't have it in the cache and force the call to JWKS.
    This worked for android but not for ios.


  • 2.  RE: Error validating idtoken after mag ssl certificate update

    Broadcom Employee
    Posted Mar 08, 2020 05:59 PM
    Not very sure, but I believe the certificate to sign the JWT is the default ssl certificate, and it should be stored in msso_config.json.
    Have you re-created the msso_config.json file, and re-compiled the mobile app with the new msso_config.json file?

    Regards,
    Mark
    Original Message


  • 3.  RE: Error validating idtoken after mag ssl certificate update
    Best Answer

    Posted Mar 09, 2020 03:49 AM
    I had a similar problem with SDK version when the our certificate changed. However that was because we did not import the entire certificate chain. Specially for iOS which requires the entire certificate chain as comma separated json with begin and end certificate.

    Also As suggested by Mark, you need to re import the msso_config.json from /oauth/manager. But if only a single certificate imported not the chain it will work on android sdk but ios sdk will definitely give a problem as it requires entire certificate chain


    Please check the document here: http://mas.ca.com/docs/ios/2.0.00/guides/#prepare-for-ssl-pinning-updates


    ------------------------------
    Pre-Sales Consultant
    CA Southern Africa
    ------------------------------

    Original Message


  • 4.  RE: Error validating idtoken after mag ssl certificate update

    Posted Mar 09, 2020 09:24 AM
    Thank you for your reply.
    We are aware of this ios particularly but we are using an older version of the sdk (1.9.2) that doesn't have this behavior.

    Could you tell how do you set the 'kid' in your id_token? You are using the deault?

    Thank you in advance!
    Original Message


  • 5.  RE: Error validating idtoken after mag ssl certificate update

    Posted Mar 09, 2020 10:13 AM
    Another thing is that this link is broken for me.
    Original Message


  • 6.  RE: Error validating idtoken after mag ssl certificate update

    Posted Mar 09, 2020 09:17 AM
    Thank you for your reply.
    Yes, the certificate used is th default_ssl certificate.
    Yes we re-created the msso_config.json file, and re-compiled the mobile app with the new msso_config.json file.

    But, as we observed, to validate the id_token the SDK doesn`t use the certificate in the msso_config file.
    It uses the JSON Web Key Set (JWKS, available on [server host]/openid/connect/jwks.json).
    But seems that the app caches the result for a while.

    Original Message


  • 7.  RE: Error validating idtoken after mag ssl certificate update

    Posted Mar 10, 2020 06:42 AM
    Edited by Deactivated User Mar 10, 2020 06:44 AM
    Your CSR is verified and signed using ca_msso certificate Policy to look at connect/device/register
    You can troubleshoot your export page issue /auth/oauth/v2/client/export and OTK Client Export 
    #OTK Variable Configuration is where you set the certificate details and otk lifetime

    I had a problem where my msso_config link did not work that was due to me having 2 certificate with the same name as the gateway.cluster.hostname ensure you do not have that as the export utility fail if there are 2 certificates with the same name
    OTK Customization folder is where you customize your OTK parameters





    ​​​

    ------------------------------
    Pre-Sales Consultant
    CA Southern Africa
    ------------------------------

    Original Message


  • 8.  RE: Error validating idtoken after mag ssl certificate update

    Posted Mar 11, 2020 11:53 AM
    Thank you for the reply.
    "I had a problem where my msso_config link did not work that was due to me having 2 certificate with the same name as the gateway.cluster.hostname ensure you do not have that as the export utility fail if there are 2 certificates with the same name
    OTK Customization folder is where you customize your OTK parameters"
    In our case the export utility works fine, and we don't have 2 certificates with the same name.

    My main question is if in your case you overwrite the default value for variable 'kid_header' on the "#OTK id_token KID Configuration" or if you are using the default.
    Original Message


  • 9.  RE: Error validating idtoken after mag ssl certificate update

    Posted Mar 12, 2020 03:31 AM
    Most of my implementation I create a certificate key pair which is signed by the Vendor and replace the default SSL key with this key. The default kid is "default_ssl" that is mapped to the default base key that hosts the Layer 7 certificate, hence I don't need to change my Kid configuration​.

    Details here https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-3/openid-connect-implementation/use-a-dedicated-private-key-for-signing-jwt.html

    ------------------------------
    Pre-Sales Consultant
    CA Southern Africa
    ------------------------------

    Original Message