Layer7 API Management

 View Only
  • 1.  One way SSL

    Posted Nov 13, 2019 10:09 AM

    Background: Layer7 9.2 is acting as a client sending requests to an IIS Server.

     

    Problem: The IIS Server requires the client cert without asking for it during the TLS communication.

     

    Question: Is there a way to force Layer7 to always send a client certificate when routing to the backend without being asked for by the IIS Server?

     

    Note: The reason for the ask is that no one on the IIS side can figure out how to make the IIS server ask for the client cert. Sad but true.     

     

    Edward Lokiec
    Telephone: 860.226.5977
    E-mail Address:  Ed.Lokiec@CIGNA.com

    image009.png@01CF8950.C7C0E410

     

     

    Confidential, unpublished property of Cigna. Do not duplicate or distribute. Use and distribution limited solely to authorized personnel. © Copyright 2019

     

    ------------------------------------------------------------------------------
    CONFIDENTIALITY NOTICE: If you have received this email in error,
    please immediately notify the sender by e-mail at the address shown. 
    This email transmission may contain confidential information.  This
    information is intended only for the use of the individual(s) or entity to
    whom it is intended even if addressed incorrectly.  Please delete it from
    your files if you are not the intended recipient.  Thank you for your
    compliance.  Copyright (c) 2019 Cigna
    ==============================================================================



  • 2.  RE: One way SSL

    Broadcom Employee
    Posted Nov 13, 2019 10:21 AM
    Edited by Joe Dascole Nov 13, 2019 10:22 AM
    Hi Edward,

    Have you tried using a custom private key in the route assertion?

    https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-gateway/9-4/security-configuration-in-policy-manager/tasks-menu-security-options/manage-private-keys/select-a-custom-private-key.html

    Not sure if this will forcibly send it unchallenged, which it sounds like what you need. Though figured I'd mention it.

    Regards,
    Joe




  • 3.  RE: One way SSL

    Posted Nov 13, 2019 10:30 AM

    Joe, thank for the quick response and yes we are using a custom private but  unfortunately as stated in the techdocs:

     

    ·         Route via HTTP(S)

    : When using an HTTPS URL and the server sends a client certificate challenge, the Route via HTTP(S) assertion can now present a custom client certificate instead of using the standard 

    API Gateway

     SSL certificate as its client certificate.

    The server is not asking for the client cert.

     






  • 4.  RE: One way SSL

    Broadcom Employee
    Posted Nov 13, 2019 10:32 AM
    Yea, I was a little too quick hitting reply on that one, I noticed that after the update.
    Unfortunately, I am not familiar with any way to force it to send the client certificate without being requested from the server-side.


  • 5.  RE: One way SSL
    Best Answer

    Broadcom Employee
    Posted Nov 13, 2019 12:36 PM
    Sending a client certificate is part of the SSL handshake and, by spec, this is not something the Gateway can or should do. The server MUST challenge for the certificate as part of the handshake. You will need to to get IIS to issue the challenge.

    ------------------------------
    Jay MacDonald - Adoption Architect - Broadcom API Management (Layer 7)
    ------------------------------