Layer7 API Management

  • Private Community
 View Only

  • 1.  Unable to force gateway cert in request

    Posted Aug 08, 2020 02:22 AM
    We want to force consumer application to pass gateway public ssl certificate when consumer app is making a request to gateway. Hence we added Require SSL or TLS Transport assertion and checked Required option. However, we are still able to make a service call from postman when we disable ssl check. 
    Also, we tested from chrome browser where we have not added gateway's cert in trusted certificate tab. Browser is giving warning but allowing to make a call. 

    Please let us know how we can force any client application (chrome, postman, java app, .net app, etc) to pass gateway's cert in the request ?


  • 2.  RE: Unable to force gateway cert in request

    Broadcom Employee
    Posted Aug 11, 2020 08:11 AM
    Hi Sachin,

    It sounds like you have this setup for mutual authentication. In which case the client/consuming app would need to send its own certificate to the Gateway. This article describes using mutual auth with Postman.

    https://learning.postman.com/docs/sending-requests/certificates/

    Original Message


  • 3.  RE: Unable to force gateway cert in request

    Posted Aug 11, 2020 09:43 AM

    It's 1-way. Only GW cert.

     

    Regards,

    Sachin Ghumbre

     




    Original Message


  • 4.  RE: Unable to force gateway cert in request

    Broadcom Employee
    Posted Aug 11, 2020 05:59 PM
    This makes no sense. I suggest you familiarise yourself with how SSL/TLS works.

    In a nutshell, the server's certificate is only presented during the handshake as part of setting up the session, and it is only transmitted from the server (I.e. gateway) to the client. The client will NEVER send the server's certificate.

    ------------------------------
    Jay MacDonald - Adoption Architect - Broadcom API Management (Layer 7)
    ------------------------------

    Original Message


  • 5.  RE: Unable to force gateway cert in request

    Broadcom Employee
    Posted Aug 11, 2020 04:55 PM
    I don't understand what you mean by "pass the Gateway's certificate". Why would the client ever do that? The Gateway passes its certificate to the client during the handshake (which is part of the SSL/TLS spec), and if it is over port 8443 then the default configuration of the listener will also challenge the client for a certificate from the *client* (not the Gateway's). The default listener configuration is that it is optional for the client to actually send its certificate, which allows for control in policy.

    So your pattern doesn't make sense. Can you please clarify?

    ------------------------------
    Jay MacDonald - Adoption Architect - Broadcom API Management (Layer 7)
    ------------------------------

    Original Message


  • 6.  RE: Unable to force gateway cert in request

    Posted Aug 12, 2020 12:47 AM
    Apologies for the confusing words. In 1-way communication, I agree only server sends cert (public key) to client and client will validate the key. post this secure communication will happen. 
    "pass the Gateway's certificate": What I mean here is when we use curl with -k, cert validation is ignored and without that validation, curl can invoke gateway's https endpoint. Is it possible to force client to validate the server sent cert ?

    ------------------------------
    Technology Lead
    Infosys Limited
    ------------------------------

    Original Message


  • 7.  RE: Unable to force gateway cert in request

    Broadcom Employee
    Posted Aug 12, 2020 01:02 AM
    That entirely depends upon the client. We have no control over that in the Gateway. Each client is expected to follow the RFC, but each is a little bit different in my experience. There is no way to enforce server cert validation at the client.

    ------------------------------
    Jay MacDonald - Adoption Architect - Broadcom API Management (Layer 7)
    ------------------------------

    Original Message