Another point that is not very clear in the documentation is that the username in the Internal Identity Provider
MUST match the CN of the client certificate's subject. So, for example, given my pkcs12 keystore file
jaymac.p12, I run the following (where the password to unlock the keystore is in Password.txt):
jay@jaymac-laptop:~/SecureSpan/GMU-1.5.00$ openssl pkcs12 -in jaymac.p12 -nokeys -passin file:Password.txt
Bag Attributes
friendlyName: jaymac
localKeyID: 54 69 6D 65 20 31 35 39 31 39 30 35 39 36 30 31 38 31
subject=C = CA, ST = BC, L = Vancouver, O = Broadcom, CN = Jay MacDonald
issuer=C = CA, ST = BC, L = Vancouver, O = Broadcom, CN = Jay MacDonald
-----BEGIN CERTIFICATE-----
MIIDUTCCAjmgAwIBAgIEbmTcqzANBgkqhkiG9w0BAQsFADBZMQswCQYDVQQGEwJD
QTELMAkGA1UECBMCQkMxEjAQBgNVBAcTCVZhbmNvdXZlcjERMA8GA1UEChMIQnJv
YWRjb20xFjAUBgNVBAMTDUpheSBNYWNEb25hbGQwHhcNMjAwNjExMjAwNjAwWhcN
MjEwNjA2MjAwNjAwWjBZMQswCQYDVQQGEwJDQTELMAkGA1UECBMCQkMxEjAQBgNV
BAcTCVZhbmNvdXZlcjERMA8GA1UEChMIQnJvYWRjb20xFjAUBgNVBAMTDUpheSBN
YWNEb25hbGQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDe137uGLOD
chnxyVndamWjpugfG7285KwSN4sNLjKF5TzV0jgXvCWzcsgVbSXBMEsu0NofxK++
PQk943Qbc57/u+wa5cL1JfjGJJF0bJPguC2r4XaD4WQAGSY0COsr0jV8jJ/9bdmt
YgCYDUVZjFq/z8hhGxD/MGPY1FGzNjPNProHADND/W8jQZA5RMhBGPlS0xGNu2sw
bR5NlVhymxWtoE/tljPDqONQhdP1aA2g+hwFu9GSxIma3adb3pfjfEUyzzRxKiU0
ymlspkeY+zhd0agbd/jteWyuEULIXPzGUg6Aek/AplLtXBSmCHv+mQHWpI+zM8Jq
fh4GnB1GGTzNAgMBAAGjITAfMB0GA1UdDgQWBBRLXvXgrqwu55x0P8LcoZiWo0aE
rzANBgkqhkiG9w0BAQsFAAOCAQEA2WuWo6EUorbHlucIfA3lNEjI6ZHFEsdqQIY2
m7xcc3yAmfYfHQZXfsvw1pfuOpP4h/p9T4AjuJVsqnzX20eyaAUVLSBqAXAUUiFh
Gtju7f2jggyrff/mEyJYWxp3QAZehfniBBNbQR7pSNeIbl4X83TPzkumdNqY51u/
9qydhjrlkC4qkSBw24JvERIalMLx9SVdfm5WDl3KHzxTIkEPLiI3iXnxLN6MNqd9
dErGkDH1sG/f5kJRK6F79DY8Knewgc73XGcm6hDG50fTP68fP89chAwM+sIc7KIh
IqX6cE8UGCTqVeMF/Va0buyEuiYMtxYmoR+eFV+UqOFft0gCNA==
-----END CERTIFICATE-----
jay@jaymac-laptop:~/SecureSpan/GMU-1.5.00$
The CN for the subject is 'Jay MacDonald' - with a space. For this certificate to work with the Internal Identity Provider, the username
MUST therefor also be 'Jay MacDonald' - with a space. Here is a screenshot of my IIP list to show you what I mean.
------------------------------
Jay MacDonald - Adoption Architect - Broadcom API Management (Layer 7)
------------------------------
Original Message:
Sent: 08-12-2020 02:03 AM
From: Vivek Luhadiya
Subject: Error in setting up GMU mutual authentication
Dear team,
Need urgent help from my fellow community members for the issue given below. I am trying to setup GMU in our company and i did all the steps as mentioned in this link.
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-gateway/9-3/gateway-migration/configure-gmu-and-gateways-for-migration.html
The steps i did are as follows which is exactly same as mentioned in above link.
1) Published the REST management service on both source and target gateway.
2) I created a migration admin user with name 'DevMigrationAdmin' through policy manager and gave it Adminstrator role in source gateway. Similarly i created a migration admn user with name 'UatMigrationAdmin' through policy manager and gave it administrator role in target gateway.
3) Then i created a private key with CN same exactly same as Migration admin user i.e. 'DevMigrationAdmin' and exported the key and certificate from source gateway and gave it name DevCert.pem and DevKey.p12. I did similar steps on target gateway and generated UatCert.pem and UatKey.p12.
4) Then i mapped the both source and target gateway migrati admin user with the certificate created in step 3 by following the exact same steps mentioned in CA post.
5) Then comes the last step of establishing server trust between source gateway, target gateway and GMU, so i followed the steps as mentioned in post and generated the certificate of default ssl key and exported it with name 'DevSsl.pem'. I did the same steps in UAT and generated the certificate with name 'UatSsl.pem'.
6) Then to add the certificate in JDK trust store i ran the below command which is as per given in the documentation post i.e.
keytool -importcert -alias DevMigrationAdmin -file "C:/Program Files/Java/jre7/bin/DevCert.pem" -keystore "C:/Program Files/Java/jre7/lib/security/cacerts" -storepass changeit
7) It gave the message the certificate is added in the store then i did the same step for UatCert.pem or target gateway with success.
8) Then i rant the command for migrateOut which is as follows:
./GatewayMigrationUtility.bat migrateOut --host 192.168.163.40 --dest dest.xml --folderName /APIs/Inbound/MigrationTest --clientCert DevKey.p12 --encryptionPassphrase @file:Encrypt.txt but it gave me below error.
Running...
Execution failed. Reason: No subject alternative names present. To resolve, either:
• Establish server trust and try again (more info: search "establish server trust" in the Gateway documentation), OR
• Re-run command with the "--trustHostname" parameter to bypass trust requirement.
I followed the steps mentioned in CA post for establishing server trust but still getting this error please help me out. I need the solution ASAP.
Thanks for the cooperation and support.
Regards
Vivek
------------------------------
Regards
Vivek
------------------------------