Layer7 API Management

Hi All
We have a Ca Api Gateway 9.2 between mobile client and Web Application endpoint.
Is it possible create with policy manager an assertions that only forward the client certificate (which identify mobile client) to Web Application endpoint for its validation?

It's not necessary the mutual authentication between the mobile device and api gateway 

Thanks in advance

Fabio

If I understand the flow, you want client -- TLS Mutual Auth -> API GW -- Forward w/ cert only --> application  ?

That should be pretty straight forward using the certificate context variables which exposes the certificate in like base64 for example - https://docops.ca.com/ca-api-gateway/9-2/en/reference/context-variables/credential-certificates-context-variables

So long as you've already done the key validation on the GW / authenticated the user and trust the connection between the API GW and application endpoint then inject it as like an X-Client-Certificate request header. Toss in a "Manage Transport Properties/Headers" assertion, target the request and add "X-Client-Certificate=${request.ssl.clientCertificate.base64}"...or whatever other header you want.

Main thing is making sure you really trust that connection between GW and back-end app server. If anyone gets around the GW they can just inject any public cert as that header and if the app allows that in...not good.
Original Message:
Sent: 07-23-2019 03:58 AM
From: Fabio Dania
Subject: Client Certificate To Backend Web App Validation

Hi All
We have a Ca Api Gateway 9.2 between mobile client and Web Application endpoint.
Is it possible create with policy manager an assertions that only forward the client certificate (which identify mobile client) to Web Application endpoint for its validation?

It's not necessary the mutual authentication between the mobile device and api gateway 

Thanks in advance

Fabio

Forward both origin IP and original client cert:

Original Message:
Sent: 07-23-2019 09:39 AM
From: Chris Bertagnolli
Subject: Client Certificate To Backend Web App Validation

If I understand the flow, you want client -- TLS Mutual Auth -> API GW -- Forward w/ cert only --> application  ?

That should be pretty straight forward using the certificate context variables which exposes the certificate in like base64 for example - https://docops.ca.com/ca-api-gateway/9-2/en/reference/context-variables/credential-certificates-context-variables

So long as you've already done the key validation on the GW / authenticated the user and trust the connection between the API GW and application endpoint then inject it as like an X-Client-Certificate request header. Toss in a "Manage Transport Properties/Headers" assertion, target the request and add "X-Client-Certificate=${request.ssl.clientCertificate.base64}"...or whatever other header you want.

Main thing is making sure you really trust that connection between GW and back-end app server. If anyone gets around the GW they can just inject any public cert as that header and if the app allows that in...not good.
Original Message:
Sent: 07-23-2019 03:58 AM
From: Fabio Dania
Subject: Client Certificate To Backend Web App Validation

Hi All
We have a Ca Api Gateway 9.2 between mobile client and Web Application endpoint.
Is it possible create with policy manager an assertions that only forward the client certificate (which identify mobile client) to Web Application endpoint for its validation?

It's not necessary the mutual authentication between the mobile device and api gateway 

Thanks in advance

Fabio

If the backend web application doesn't care the mobile client, you don't have to forward client cert, just let web application trust the client cert of gateway default private key. (by default, the Route via HTTP(s) assertion uses gateway default private key to send client cert)

Original Message:
Sent: 07-23-2019 03:58 AM
From: Fabio Dania
Subject: Client Certificate To Backend Web App Validation

Hi All
We have a Ca Api Gateway 9.2 between mobile client and Web Application endpoint.
Is it possible create with policy manager an assertions that only forward the client certificate (which identify mobile client) to Web Application endpoint for its validation?

It's not necessary the mutual authentication between the mobile device and api gateway 

Thanks in advance

Fabio

The reason to use client cert from gateway is that, the backend web application only need to trust one client cert, if you forward client cert of mobile client, the web application needs to trust each one of them, it's not really practical unless you only allow limited mobile client.
Original Message:
Sent: 07-23-2019 07:20 PM
From: Zhijun He
Subject: Client Certificate To Backend Web App Validation

If the backend web application doesn't care the mobile client, you don't have to forward client cert, just let web application trust the client cert of gateway default private key. (by default, the Route via HTTP(s) assertion uses gateway default private key to send client cert)

Original Message:
Sent: 07-23-2019 03:58 AM
From: Fabio Dania
Subject: Client Certificate To Backend Web App Validation

Hi All
We have a Ca Api Gateway 9.2 between mobile client and Web Application endpoint.
Is it possible create with policy manager an assertions that only forward the client certificate (which identify mobile client) to Web Application endpoint for its validation?

It's not necessary the mutual authentication between the mobile device and api gateway 

Thanks in advance

Fabio

​Thank to all for your answers!!
We can consider the calls trusted between mobile client --> api gw --> end point web application (which in this scenario will validate the certificate)

@Chris, yes right flow, now i implemented a rest api /ctpush that after some client check, catch the header and
base encoded it's value.
I have insert a simple string inside header with SOAP UI client (the request) and it works responding the string encoded as show in image


Response



The soap client UI "has clothes" of the mobile client in the flow.

The web application endpoint api still missing but i would try to test if the certificate is correctly respond back

Now i'm trying to add a header in soap ui with a certificate file (instead of a string) but seems is not possible.
I'm searching how to pass an X509Certificate object in a valid header... I don't know how and hope make sense.


@Philippe Brand: really appreciate your help
@Zhijun He: Seems that the web application backend would validate the certificate coming from mobile clients.

Fabio
Original Message:
Sent: 07-23-2019 07:25 PM
From: Zhijun He
Subject: Client Certificate To Backend Web App Validation

The reason to use client cert from gateway is that, the backend web application only need to trust one client cert, if you forward client cert of mobile client, the web application needs to trust each one of them, it's not really practical unless you only allow limited mobile client.
Original Message:
Sent: 07-23-2019 07:20 PM
From: Zhijun He
Subject: Client Certificate To Backend Web App Validation

If the backend web application doesn't care the mobile client, you don't have to forward client cert, just let web application trust the client cert of gateway default private key. (by default, the Route via HTTP(s) assertion uses gateway default private key to send client cert)

Original Message:
Sent: 07-23-2019 03:58 AM
From: Fabio Dania
Subject: Client Certificate To Backend Web App Validation

Hi All
We have a Ca Api Gateway 9.2 between mobile client and Web Application endpoint.
Is it possible create with policy manager an assertions that only forward the client certificate (which identify mobile client) to Web Application endpoint for its validation?

It's not necessary the mutual authentication between the mobile device and api gateway 

Thanks in advance

Fabio

Hi All
Is it possible forward the client certificate only in order to consent the Mutual Authentication between Mobile Device and Web Application Backend?
I'm aware that is a different scenario because there isn't a mutual auth between api gw and Mobile device, but in this forward scenario i don't have the variable

${request.ssl.clientCertificate}

Is there another way to accomplish the client certificate forward to backend?
A simple redirect could be a way but so the certificate will not pass to api gateway.

Thanks
Original Message:
Sent: 07-29-2019 12:28 PM
From: Fabio Dania
Subject: Client Certificate To Backend Web App Validation

​Thank to all for your answers!!
We can consider the calls trusted between mobile client --> api gw --> end point web application (which in this scenario will validate the certificate)

@Chris, yes right flow, now i implemented a rest api /ctpush that after some client check, catch the header and
base encoded it's value.
I have insert a simple string inside header with SOAP UI client (the request) and it works responding the string encoded as show in image

Response

The soap client UI "has clothes" of the mobile client in the flow.

The web application endpoint api still missing but i would try to test if the certificate is correctly respond back

Now i'm trying to add a header in soap ui with a certificate file (instead of a string) but seems is not possible.
I'm searching how to pass an X509Certificate object in a valid header... I don't know how and hope make sense.


@Philippe Brand: really appreciate your help
@Zhijun He: Seems that the web application backend would validate the certificate coming from mobile clients.

Fabio
Original Message:
Sent: 07-23-2019 07:25 PM
From: Zhijun He
Subject: Client Certificate To Backend Web App Validation

The reason to use client cert from gateway is that, the backend web application only need to trust one client cert, if you forward client cert of mobile client, the web application needs to trust each one of them, it's not really practical unless you only allow limited mobile client.
Original Message:
Sent: 07-23-2019 07:20 PM
From: Zhijun He
Subject: Client Certificate To Backend Web App Validation

If the backend web application doesn't care the mobile client, you don't have to forward client cert, just let web application trust the client cert of gateway default private key. (by default, the Route via HTTP(s) assertion uses gateway default private key to send client cert)

Original Message:
Sent: 07-23-2019 03:58 AM
From: Fabio Dania
Subject: Client Certificate To Backend Web App Validation

Hi All
We have a Ca Api Gateway 9.2 between mobile client and Web Application endpoint.
Is it possible create with policy manager an assertions that only forward the client certificate (which identify mobile client) to Web Application endpoint for its validation?

It's not necessary the mutual authentication between the mobile device and api gateway 

Thanks in advance

Fabio