Layer7 API Management

Hello everyone,

We know that a certificate can be loaded into the appropriate certificate object (request.ssl.clientCertificate.*) under these conditions:

- authentication

- message signing

- look up certificate

Each of these requires having access to the target certificate either from authentication, from a signed message or element, or from the trust store.

Is there any way to instantiate the certificate object by just having a PEM encoded certificate in a string?

Here's the scenario:

- the client has a need for requestor ip

- the client refuses to disable or workaround source network address translation at the load balancer (snat prevents the requestor ip from being visible to the gateway)

- the gateway must validate the association between a client certificate and an api key (as a step in a mutual authentication policy)

- load balancer will pass the PEM encoded cert to the gateway via http header

- gateway will compare passed PEM value with its own record to confirm that client certificate is associated with api key

- gateway will need access to certain details like subject, issuer, validity dates; this can only happen if the certificate is set as a 

So... in order to still be able to have the requestor IP, the gateways will have to rely on the load balancer to terminate SSL. This also means that the load balancer must collect the client certificate and pass it back to the gateway.

The gateway's current mutual auth policy relies on pinned certificates. 

It is easy enough to compare the incoming PEM in the header with the value we have stored, but I want to have access to the subject, issuer, validity dates, serial, etc. This is what is not possible as yet (unless someone has found a way).

Ivan

Ivan,

For the scenario you outlined there is a way to pull the cert from a header then assign it to a x509 certificate context variable. This variable can then be used to authenticate using the public key as long as you validate the source being received. I've attached a sample policy that will take the header cert and pass it through. If you only use the first 2 lines in the policy then you will need to pull values out of the x509 variable using regular expressions. If you use the complete policy then you can add in "Extract Attributes from Certificates" after the Authenticate assertion then the extend variables will be created for serial number, CN, etc.

Sincerely,

Stephen Hughes

Director, CA Support

Wow! Stephen - this is particularly helpful. Thank you very, very much for taking the time to handle this question so quickly. This approach is significantly cleaner than what I was trying to run. 

I tested it out and am quite happy with the results.

A most interesting way to obtain this functionality, too... 

This line is worth gallons of work-hours. Its what makes the magic happen: <L7p:TargetDataType variableDataType="cert"/>

Thank you kindly!

Ivan

Ivan,

You are most welcome. I'm glad that this worked for your use case.

Sincerely,

Stephen Hughes

Director, CA Support