Layer7 API Management

Hi There,

We are using client Certificate Authentication in CA API Gateway. 
Can someone help on how to find the alias name for certificates??

check below docs. 
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-gateway/9-3/reference/context-variables/certificate-attributes-context-variables.html


https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-gateway/9-3/reference/context-variables/credential-certificates-context-variables.html
Original Message:
Sent: 02-20-2020 08:45 AM
From: Pavansai C
Subject: How to find alias name for certificates in CA API Gateway?

Hi There,

We are using client Certificate Authentication in CA API Gateway.
Can someone help on how to find the alias name for certificates??

Logs during a Test:
Thread Name: Test_List S
Sample Start: 2020-02-20 19:31:12 IST
Load time: 2422
Connect Time: 2421
Latency: 0
Size in bytes: 3351
Sent bytes:0
Headers size in bytes: 0
Body size in bytes: 3351
Sample Count: 1
Error Count: 1
Data type ("text"|"bin"|""): text
Response code: Non HTTP response code: javax.net.ssl.SSLException
Response message: Non HTTP response message: java.lang.IllegalArgumentException: No certificate found for alias:'test cert'

Original Message:
Sent: 02-20-2020 11:32 AM
From: Arun AK
Subject: How to find alias name for certificates in CA API Gateway?

check below docs.
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-gateway/9-3/reference/context-variables/certificate-attributes-context-variables.html


https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-gateway/9-3/reference/context-variables/credential-certificates-context-variables.html
Original Message:
Sent: 02-20-2020 08:45 AM
From: Pavansai C
Subject: How to find alias name for certificates in CA API Gateway?

Hi There,

We are using client Certificate Authentication in CA API Gateway.
Can someone help on how to find the alias name for certificates??

If you have restman enabled. You can access the trustedCertificate Endpoint 
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-gateway/9-2/apis-and-toolkits/rest-management-api.html

https://<gateway>:<port>/restman/1.0/trustedCertificates


------------------------------
Pre-Sales Consultant
CA Southern Africa
------------------------------

Original Message:
Sent: 02-20-2020 12:36 PM
From: Pavansai C
Subject: How to find alias name for certificates in CA API Gateway?

Logs during a Test:
Thread Name: Test_List S
Sample Start: 2020-02-20 19:31:12 IST
Load time: 2422
Connect Time: 2421
Latency: 0
Size in bytes: 3351
Sent bytes:0
Headers size in bytes: 0
Body size in bytes: 3351
Sample Count: 1
Error Count: 1
Data type ("text"|"bin"|""): text
Response code: Non HTTP response code: javax.net.ssl.SSLException
Response message: Non HTTP response message: java.lang.IllegalArgumentException: No certificate found for alias:'test cert'

Original Message:
Sent: 02-20-2020 11:32 AM
From: Arun AK
Subject: How to find alias name for certificates in CA API Gateway?

check below docs.
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-gateway/9-3/reference/context-variables/certificate-attributes-context-variables.html


https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-gateway/9-3/reference/context-variables/credential-certificates-context-variables.html
Original Message:
Sent: 02-20-2020 08:45 AM
From: Pavansai C
Subject: How to find alias name for certificates in CA API Gateway?

Hi There,

We are using client Certificate Authentication in CA API Gateway.
Can someone help on how to find the alias name for certificates??

There isn't a notion of "alias" for a trusted certificate in the Gateway. There is for a private key, but not for a certificate.

A key alias is an internal concept - i.e. a name given to a key that only makes sense for the local system and it does not necessarily transfer to another system. When a client certificate is presented we only have the contents of the certificate to work with, which does not include anything like an "alias", so the certificate attributes won't get you an alias. They can provide the CN for the certificate's subject, plus serial number, issuer, thumbprint, etc - which is probably what you are really looking for, but I don't have any insight into your use case.

The closest thing the Gateway has to an alias for a certificate is the Name of the certificate, which is an arbitrary and *local* concept that can be different from the subject CN. That is only available via restman and not as part of the certificate's attributes, and will only be available *if* that certificate has been loaded in the trust store, which client certificates typically are not. A client certificate is either validated as an explicit certificate in an identity provider (LDAP or IIP) or by a federation to a certificate in the trust store via a Federate Identity Provider (FIP).

------------------------------
Jay MacDonald - Adoption Architect - Broadcom API Management (Layer 7)
------------------------------

Original Message:
Sent: 02-20-2020 08:45 AM
From: Pavansai C
Subject: How to find alias name for certificates in CA API Gateway?

Hi There,

We are using client Certificate Authentication in CA API Gateway.
Can someone help on how to find the alias name for certificates??

Thanks Jay Mac, The private key alias is something am looking for.. We're testing a service which has client cert authentication, while passing the p12/jks file in soapUI we're able to get the response whereas in Jmeter we get this error.

Response code: Non HTTP response code: javax.net.ssl.SSLException
Response message: Non HTTP response message: java.lang.IllegalArgumentException: No certificate found for alias:'test cert'

So, that's the reason I want to know the alias name. Is there any way to test this without passing or reading alias to check the appropriate cert for our p12.

The restman should be activated in order to find this.. Is there any other way to do testing? Please suggest.

# mkdir -p touch /opt/SecureSpan/Gateway/node/default/etc/bootstrap/services/ 
# touch /opt/SecureSpan/Gateway/node/default/etc/bootstrap/services/restman

Original Message:
Sent: 02-21-2020 04:35 PM
From: Jay MacDonald
Subject: How to find alias name for certificates in CA API Gateway?

There isn't a notion of "alias" for a trusted certificate in the Gateway. There is for a private key, but not for a certificate.

A key alias is an internal concept - i.e. a name given to a key that only makes sense for the local system and it does not necessarily transfer to another system. When a client certificate is presented we only have the contents of the certificate to work with, which does not include anything like an "alias", so the certificate attributes won't get you an alias. They can provide the CN for the certificate's subject, plus serial number, issuer, thumbprint, etc - which is probably what you are really looking for, but I don't have any insight into your use case.

The closest thing the Gateway has to an alias for a certificate is the Name of the certificate, which is an arbitrary and *local* concept that can be different from the subject CN. That is only available via restman and not as part of the certificate's attributes, and will only be available *if* that certificate has been loaded in the trust store, which client certificates typically are not. A client certificate is either validated as an explicit certificate in an identity provider (LDAP or IIP) or by a federation to a certificate in the trust store via a Federate Identity Provider (FIP).

------------------------------
Jay MacDonald - Adoption Architect - Broadcom API Management (Layer 7)

Original Message:
Sent: 02-20-2020 08:45 AM
From: Pavansai C
Subject: How to find alias name for certificates in CA API Gateway?

Hi There,

We are using client Certificate Authentication in CA API Gateway.
Can someone help on how to find the alias name for certificates??

Something doesn't make sense here. The Gateway does not care about the private key in a client SSL authentication, so the alias is not involved there. Is that message you are seeing in the ssg logs or in the client? Do you see anything in the SSG logs at all? It looks to me like the alias issue is related to the client, not the Gateway. Please confirm.

------------------------------
Jay MacDonald - Adoption Architect - Broadcom API Management (Layer 7)
------------------------------

Original Message:
Sent: 02-24-2020 05:42 AM
From: Pavansai C
Subject: How to find alias name for certificates in CA API Gateway?

Thanks Jay Mac, The private key alias is something am looking for.. We're testing a service which has client cert authentication, while passing the p12/jks file in soapUI we're able to get the response whereas in Jmeter we get this error.

Response code: Non HTTP response code: javax.net.ssl.SSLException
Response message: Non HTTP response message: java.lang.IllegalArgumentException: No certificate found for alias:'test cert'

So, that's the reason I want to know the alias name. Is there any way to test this without passing or reading alias to check the appropriate cert for our p12.

The restman should be activated in order to find this.. Is there any other way to do testing? Please suggest.

# mkdir -p touch /opt/SecureSpan/Gateway/node/default/etc/bootstrap/services/ # touch /opt/SecureSpan/Gateway/node/default/etc/bootstrap/services/restman

Original Message:
Sent: 02-21-2020 04:35 PM
From: Jay MacDonald
Subject: How to find alias name for certificates in CA API Gateway?

There isn't a notion of "alias" for a trusted certificate in the Gateway. There is for a private key, but not for a certificate.

A key alias is an internal concept - i.e. a name given to a key that only makes sense for the local system and it does not necessarily transfer to another system. When a client certificate is presented we only have the contents of the certificate to work with, which does not include anything like an "alias", so the certificate attributes won't get you an alias. They can provide the CN for the certificate's subject, plus serial number, issuer, thumbprint, etc - which is probably what you are really looking for, but I don't have any insight into your use case.

The closest thing the Gateway has to an alias for a certificate is the Name of the certificate, which is an arbitrary and *local* concept that can be different from the subject CN. That is only available via restman and not as part of the certificate's attributes, and will only be available *if* that certificate has been loaded in the trust store, which client certificates typically are not. A client certificate is either validated as an explicit certificate in an identity provider (LDAP or IIP) or by a federation to a certificate in the trust store via a Federate Identity Provider (FIP).

------------------------------
Jay MacDonald - Adoption Architect - Broadcom API Management (Layer 7)

Original Message:
Sent: 02-20-2020 08:45 AM
From: Pavansai C
Subject: How to find alias name for certificates in CA API Gateway?

Hi There,

We are using client Certificate Authentication in CA API Gateway.
Can someone help on how to find the alias name for certificates??