Layer7 API Management

Expand all | Collapse all

How to install consumer (client) ssl certificate and backend system ssl certificate into gateway truststore? How to generate gateway certificates and share with inbound and outbound systems ?

Jump to Best Answer
  • 1.  How to install consumer (client) ssl certificate and backend system ssl certificate into gateway truststore? How to generate gateway certificates and share with inbound and outbound systems ?

    Posted 03-28-2020 11:06 AM

    My understanding on SSL certificates is this:

     

    Public certificate: it can be public certificate of consumer application, CA gateway and backed system which will be shared with each other systems so that there would be SSL communication between these systems

    Private Certificate or key: The certificate or key used by the consumer application/gateway/backend system to generate their own public certificates (self signed or Certificate Authority signed). Same private certificate or key will be used to validate incoming request to system and have successful SSL communication

     

    When I open the ca-api-gateway-9-4.pdf documentation, I see two topics under "Working with SSL Certificates" page no.133, one "Manage Private Keys for SSL certificate" page no.133 and  another one is "Manage certificates for ssl certificates" page no.140. In both the topics naming conventions used for keys and certificates are confusing and I am not able to understand how can I achieve below 3 scenarios. Also the way sequence of steps mentioned under these topics are confusing to achieve the same below 3 scenarios. It seems that "key" keyword is used for private key and somewhere key keyword is used for ssl certificate.

    Can you please clarify on the naming conventions used in these topics. It would be good if you suggest the topics in this document ca-api-gateway-9-4.pdf to achieve below 3 scenarios.

     

    In my project we have 2-way SSL communication between inbound system, gateway and outbound systems. Our requirements are as below:

    1. Import consumer (client) public certificate into gateway and share gateway's public certificate with client system so that there would be successful 2-way ssl communication. How can I import consumer application public ssl certificate into gateway truststore to make this scenario successful ? Please provide the steps
    2. Import backend public certificate into gateway and share gateway's public certificate with backend system so that there would be successful 2-way ssl communication. How can I import backend system public ssl certificate into gateway truststore to make this scenario successful ? Please provide the steps.
    3. Create gateway public certificate based on gateway private key and share this gateway public certificate with inbound and outbound systems to make successful ssl communication. I think "Manage Private Keys for SSL certificate" is the topic to achieve this scenario. Please confirm. If not then please provide the steps.


    ------------------------------
    Technology Lead
    ------------------------------


  • 2.  RE: How to install consumer (client) ssl certificate and backend system ssl certificate into gateway truststore? How to generate gateway certificates and share with inbound and outbound systems ?

    Posted 03-29-2020 06:32 PM
    Dear Sachin,
    1. You don't need to care about client certificate unless you use it for authentication
    2. No matter client cert, or backend cert, all the certificates will be imported on "Manage Certificates"

    https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-gateway/9-4/security-configuration-in-policy-manager/tasks-menu-security-options/manage-certificates.html

    Regards,
    Mark


  • 3.  RE: How to install consumer (client) ssl certificate and backend system ssl certificate into gateway truststore? How to generate gateway certificates and share with inbound and outbound systems ?

    Posted 03-30-2020 12:44 AM
    Good morning Zhijun. Thanks for your quick response.

    Please find my responses:
    Zhijun: You don't need to care about client certificate unless you use it for authentication
    Sachin: I am new to CA gateway. However, when I worked on other gateways like Apigee. When there is a 2-way SSL communication between consumer application (client) and gateway (server), we have to import or install consumer application SSL certificate in gateway so that consumer application also identified whom it is sending the request. Is it not the case with CA gateway ?

    Zhijun: No matter client cert, or backend cert, all the certificates will be imported on "Manage Certificates"
    Sachin: From the link you provided, I can see the option for backend cert which is "
    Outbound SSL Connections". I don't see option for Inbound. Does it mean that when we don't select this option, importing certificate will acts as a inbound system certificate?




  • 4.  RE: How to install consumer (client) ssl certificate and backend system ssl certificate into gateway truststore? How to generate gateway certificates and share with inbound and outbound systems ?

    Posted 03-30-2020 10:41 AM
    Answer to your 2 question:-
    Double click on the certificate go to  Option and select the relevant tick box.

    Certificate import Import can be done either directly accessing the URL by clicking Add and provide the URL of the endpoint or by just importing the base64 certificate


    ------------------------------
    Pre-Sales Consultant
    CA Southern Africa
    ------------------------------



  • 5.  RE: How to install consumer (client) ssl certificate and backend system ssl certificate into gateway truststore? How to generate gateway certificates and share with inbound and outbound systems ?
    Best Answer

    Posted 03-30-2020 04:35 PM
    Edited by Jay MacDonald 04-03-2020 04:28 PM
    Unlike many systems I've seen, the Gateway is very explicit about separating trusted certificates and private keys. The "Manage Certificates" interface on the Gateway is used to import and establish trust in certificates that are NOT identity based. I.e. for trusting a signing authority or for trusting an explicit SSL server certificate at the time of routing.

    Client identity with certificates is handled via an identity provider. If you are dealing with explicit trust (i.e. trust in a specific certificate) then you need to create an identity in a provider, either the IIP or an LDAP, that contains the specific certificate. You can also create those kinds of identities in a Federated Identity Provider (FIP). FIPs are an advanced topic that I'm not going to get into here unless you wish to go further down that path :).

    On the Gateway, private keys represent "identity" of the Gateway. By default, any time a Gateway needs to provide a signature or expects encrypted information, it uses the default SSL key. Additional private keys (and corresponding certificates) can be generated, but they are not automatically trusted by the Gateway.

    So, in answer to your three use cases:

    1. Import consumer (client) public certificate into gateway and share gateway's public certificate with client system so that there would be successful 2-way ssl communication. How can I import consumer application public ssl certificate into gateway truststore to make this scenario successful ? Please provide the steps

    As I said above, client certificates are not kept in the trust store, but rather in the identity provider (since they are identity related). The simplest way to illustrate this is to create a new identity in the Internal Identity Provider (IIP) with the user name set to the CN of the certificate's subject and an arbitrary password (since all identities in the IIP require a password), then click the Certificate tab for the user and import the certificate to it. You can then create a policy that requires SSL or TLS Transport with Client Certificate (which captures the certificate) then authenticate the request against the IIP.

    2. Import backend public certificate into gateway and share gateway's public certificate with backend system so that there would be successful 2-way ssl communication. How can I import backend system public ssl certificate into gateway truststore to make this scenario successful ? Please provide the steps.

    A backend certificate IS part of the trust store. Use the Manage Certificates to add the certificate to the keystore and use the server's URL to access it (or import it using any of the other mechanisms in the dialogue), check the Outbound SSL Connections options (which declares explicit trust in a specific certificate), then make sure the "Certificate is a Trust Anchor box is checked. All trust chains must resolve to a trust anchor in the Gateway.

    Sharing the Gateway's public certificate is a matter of opening the Manage Private Keys interface, selecting the private key you plan to use for the routes (typically whichever one is tagged as the default) and exporting the certificate. Note that the Routing Assertion can be configured to use a non-default private key for routing when challenged for a certificate by the back end. It's not in the Routing Assertion dialogue, but rather if you right mouse click the assertion you'll see an option to Select Private Key

    3. Create gateway public certificate based on gateway private key and share this gateway public certificate with inbound and outbound systems to make successful ssl communication. I think "Manage Private Keys for SSL certificate" is the topic to achieve this scenario. Please confirm. If not then please provide the steps.

    When the Gateway was initially configured it created a self signed certificate and set that as the default SSL certificate. If nothing "fancy" is required, then all listen ports and routing assertions will use that private key and self signed certificate whenever a key and certificate is required. If you want to create a new public certificate for the Gateway, then use the Tasks -> Manage Private Keys interface to do so. You can then either declare that new key pair as the Default SSL key OR you can explicitly assign it to a listener or routing assertion as required.

    I hope this helps.


    ------------------------------
    Jay MacDonald - Adoption Architect - Broadcom API Management (Layer 7)
    ------------------------------



  • 6.  RE: How to install consumer (client) ssl certificate and backend system ssl certificate into gateway truststore? How to generate gateway certificates and share with inbound and outbound systems ?

    Posted 03-31-2020 02:30 AM
    Perfect Jay! you resolved all my doubts. thanks a ton.