Layer7 API Management

  I'm trying to automate the deployment of the gateway into a new environment and must be able to add these objects along with the policies in order for my API Gateway instances to work correctly.  I'm on version 8.3.

Hi

I had a play around with the RESTMAN interface at 8.3 and I believe this should enable you to import a private key.  From policy manager, right click on the policy tree control and select 'Publish Internal Service'.  From this wizard  select Gateway REST Management Service , and the service is created and exposed.  You can access the documentation and download a WADL via:-

https://<GatewayHostName>:<port>/<GatewayRESTRoutingURI>/1.0/doc/ home.html

Once you have the WADL, create a SoapUI project based upon this and you can review all the services available.  I was able to create a new key via:-

POST https://myserver:8443/restman/1.0/privateKeys/00000000000000000000000000000002:christestkey

<l7:PrivateKeyCreationContext xmlns:l7="http://ns.l7tech.com/2010/04/gateway-management">

         <l7:Dn>CN=christestkey</l7:Dn>

         <l7:Properties>

            <l7:Property key="caCapable">

               <l7:BooleanValue>true</l7:BooleanValue>

            </l7:Property>

            <l7:Property key="daysUntilExpiry">

               <l7:IntegerValue>2</l7:IntegerValue>

            </l7:Property>

            <l7:Property key="ecName">

               <l7:StringValue>secp384r1</l7:StringValue>

            </l7:Property>

            <l7:Property key="rsaKeySize">

               <l7:IntegerValue>516</l7:IntegerValue>

            </l7:Property>

            <l7:Property key="signatureHashAlgorithm">

               <l7:StringValue>SHA384</l7:StringValue>

            </l7:Property>

         </l7:Properties>

      </l7:PrivateKeyCreationContext>

00000000000000000000000000000002 was the id of the key store, christestkey is the alias of the new key I creating.   I could the export this via:-

PUT https://myserver:8443/restman/1.0/privateKeys/00000000000000000000000000000002:christestkey

      <l7:PrivateKeyExportContext xmlns:l7="http://ns.l7tech.com/2010/04/gateway-management">

         <l7:Alias>christestkey</l7:Alias>

         <l7:Password>7layer</l7:Password>

      </l7:PrivateKeyExportContext>

This returned:-

<l7:Item xmlns:l7="http://ns.l7tech.com/2010/04/gateway-management">

   <l7:Name>00000000000000000000000000000002:christestkey Export</l7:Name>

   <l7:Id>00000000000000000000000000000002:christestkey</l7:Id>

   <l7:Type>PrivateKeyExportResult</l7:Type>

   <l7:TimeStamp>2015-05-13T12:34:20.828+01:00</l7:TimeStamp>

   <l7:Link rel="self" uri="https://clach05-ssg83.ca.com:8443/restman/1.0/privateKeys/00000000000000000000000000000002:christestkey/export"/>

   <l7:Link rel="privateKey" uri="https://clach05-ssg83.ca.com:8443/restman/1.0/privateKeys/00000000000000000000000000000002:christestkey"/>

   <l7:Resource>

      <l7:PrivateKeyExportResult>

         <l7:Pkcs12Data>MIACAQMwgAYJKoZIhvcNAQcBoIAkgASCA7YwgDCABgkqhkiG9w0BBwGggCSABIHtMIHqMIHnBgsqhkiG9w0BDAoBAqCBhzCBhDAoBgoqhkiG9w0BDAEDMBoEFDURFoseM89hTnmd7y6+iS6613X1AgIEAARY+wknKtHQKx4EHP3TLxMrjTm2qFdOv4HfNDV9kTKh5Eg0v6n+Sta7sjEGeh80tvtldyR3CLY9S7wWeNP0mXqdrJyQymUG1c0d+8z2YLNqEv3OljteJQn9kjFOMCMGCSqGSIb3DQEJFTEWBBSnlJWpTn31noq4pxzNre6OoqLGfDAnBgkqhkiG9w0BCRQxGh4YAGMAaAByAGkAcwB0AGUAcwB0AGsAZQB5AAAAAAAAMIAGCSqGSIb3DQEHBqCAMIACAQAwgAYJKoZIhvcNAQcBMCgGCiqGSIb3DQEMAQYwGgQUfubNrintFmrOiQuYlWp0JK/u5L8CAgQAoIAEggJQlxTghrRY/Kd+1IjUyKgeVMsV2mGhParLq2iOWLS6u9fdSTRdKhM2J1X+ycEffXeKp1fpTQU7NX6GOCe2LfptAt5MFQl2osnaHEVtFUDB5wRGtIKZWZex+y6d8AE7I9CuXLlQhs4jOjMDP94+0yq4fY9C6sR9AB6nizBKpwWR1jy58rzEMOxs0zLC32WF5GTOAvqeW8j8CXmQjTzWh0yeOfJ58zNpJTuaiFSrBmg2amc6T/rx8yyaPH2pqMf5E4kH6/XhJxciSUtdlsrttiQ0VsRZ05ITfUj39okXumBKrYiBK6EPIIBOh/PdYL4V4s9NYNWnmK5/SXIQs3zgHhPDt83iB3h7aXVdE728SyNE6A5CG8FhVeDX+WIMHOB7tG8OfKXLgYphmOpk3JVDgTd3fDfSUzGOcA73K9qtbHRF7HT38sE3/+v3twD0EST50NB24izJE8THyhpRRFN98bEjJCF8voKXlA9MhzO+/4fuXUdIKyXrC29YWe64qFgIF61L8hk/iC391ViFFXRh9l+qnISV/lpeHQ0206jevbh6W9ALFxqqsCx4dd2MyIVyhHU6O49Cm1mDHl5+UNWJaGi41pgSg4MFD/g2RgyzCOYAfgrBam+zfzupc007fGF4k+JV+dBTFCKQnfCeMDLoSp++RJvLR4R+iLh7ADqH6zoKAwCt7/apESd2UMRX0nEliPYTDrFchZ1cZ72nUh0QagprEYWcLPJASHUVizXWE9vGuU5+1xnXpQh3nzB1v5C2Ba3lijMAvACz2ht/aBv/GGw6rgAAAAAAAAAAAAAAAAAAAAAAADA9MCEwCQYFKw4DAhoFAAQUUNQRQv1yd8RMabOzIiwrh+H1cUEEFKHtH7uFgsYkruY4OjymMc8AU7XBAgIEAAAA</l7:Pkcs12Data>

      </l7:PrivateKeyExportResult>

   </l7:Resource>

</l7:Item>

I deleted key from Policy Manager and using the PKCS12Data from the last response I then imported it via:-

POST https://myserver:8443/restman/1.0/privateKeys/00000000000000000000000000000002:christestkey/import

<l7:PrivateKeyImportContext xmlns:l7="http://ns.l7tech.com/2010/04/gateway-management">

         <l7:Pkcs12Data>MIACAQMwgAYJKoZIhvcNAQcBoIAkgASCA7YwgDCABgkqhkiG9w0BBwGggCSABIHtMIHqMIHnBgsqhkiG9w0BDAoBAqCBhzCBhDAoBgoqhkiG9w0BDAEDMBoEFDURFoseM89hTnmd7y6+iS6613X1AgIEAARY+wknKtHQKx4EHP3TLxMrjTm2qFdOv4HfNDV9kTKh5Eg0v6n+Sta7sjEGeh80tvtldyR3CLY9S7wWeNP0mXqdrJyQymUG1c0d+8z2YLNqEv3OljteJQn9kjFOMCMGCSqGSIb3DQEJFTEWBBSnlJWpTn31noq4pxzNre6OoqLGfDAnBgkqhkiG9w0BCRQxGh4YAGMAaAByAGkAcwB0AGUAcwB0AGsAZQB5AAAAAAAAMIAGCSqGSIb3DQEHBqCAMIACAQAwgAYJKoZIhvcNAQcBMCgGCiqGSIb3DQEMAQYwGgQUfubNrintFmrOiQuYlWp0JK/u5L8CAgQAoIAEggJQlxTghrRY/Kd+1IjUyKgeVMsV2mGhParLq2iOWLS6u9fdSTRdKhM2J1X+ycEffXeKp1fpTQU7NX6GOCe2LfptAt5MFQl2osnaHEVtFUDB5wRGtIKZWZex+y6d8AE7I9CuXLlQhs4jOjMDP94+0yq4fY9C6sR9AB6nizBKpwWR1jy58rzEMOxs0zLC32WF5GTOAvqeW8j8CXmQjTzWh0yeOfJ58zNpJTuaiFSrBmg2amc6T/rx8yyaPH2pqMf5E4kH6/XhJxciSUtdlsrttiQ0VsRZ05ITfUj39okXumBKrYiBK6EPIIBOh/PdYL4V4s9NYNWnmK5/SXIQs3zgHhPDt83iB3h7aXVdE728SyNE6A5CG8FhVeDX+WIMHOB7tG8OfKXLgYphmOpk3JVDgTd3fDfSUzGOcA73K9qtbHRF7HT38sE3/+v3twD0EST50NB24izJE8THyhpRRFN98bEjJCF8voKXlA9MhzO+/4fuXUdIKyXrC29YWe64qFgIF61L8hk/iC391ViFFXRh9l+qnISV/lpeHQ0206jevbh6W9ALFxqqsCx4dd2MyIVyhHU6O49Cm1mDHl5+UNWJaGi41pgSg4MFD/g2RgyzCOYAfgrBam+zfzupc007fGF4k+JV+dBTFCKQnfCeMDLoSp++RJvLR4R+iLh7ADqH6zoKAwCt7/apESd2UMRX0nEliPYTDrFchZ1cZ72nUh0QagprEYWcLPJASHUVizXWE9vGuU5+1xnXpQh3nzB1v5C2Ba3lijMAvACz2ht/aBv/GGw6rgAAAAAAAAAAAAAAAAAAAAAAADA9MCEwCQYFKw4DAhoFAAQUUNQRQv1yd8RMabOzIiwrh+H1cUEEFKHtH7uFgsYkruY4OjymMc8AU7XBAgIEAAAA</l7:Pkcs12Data>

         <l7:Alias>christestkey</l7:Alias>

         <l7:Password>7layer</l7:Password>

      </l7:PrivateKeyImportContext>

Have a try and confirm if it is what you are looking for.

Christopher Clark

CA Support

Chris C,

Thanks for the response. I could use a little clarity on what you wrote though. Here's what I think is happening:

It sounds to me - once the REST API is created and exposed - there's only two calls you have to make, no?

1. a POST to /privateKeys/00000000000000000000000000000002:christestkey to create an "empty" key
   1. I assume it's empty with no data based on the payload you posted. That accurate?
   2. It sounds like "000...0002" can be anything I choose, correct? Just something unique to the gateway? It seems a little weird that I would create the id for my key before it's created. Typically this step is a POST to /privateKeys, no? Is this just a small oddity?
   3. And "christestkey" can also be anything since it's just an alias, correct?
2. a POST to /privateKeys/00000000000000000000000000000002:christestkey/import to actually fill the key with Pkcs12Data
   1. I assume this is where the data comes from since this is the only call I see with Pkcs12Data in the payload.
   2. This may be my own ignorance showing when it comes to SSL, but this Pkcs12Data field, what format is this expecting? .pfx? .p12? .cert? Or does it not matter?

After creating/importing the key, you can get the Pkcs12Data back with:

• A PUT to /privateKeys/00000000000000000000000000000002:christestkey.
  • I assume it's a PUT and not a GET since you have to provide a password. However, I'm not sure where this password comes from? I don't see it in the POST's payload from step 1 above.

Hello

I will try and answer your questions.

First off to import a key only one API is required, in the example above I used the API gateway to create and then export key so I had the required data to populate the payload for the final API call.  No 'empty' key needs to be created first.

The 002 is the internal id of the keystore inside the gateway, so this will need to match your gateway, I suspect it will be the same value but you can check by calling GET to /privateKeys to list the existing keys in the gateway.  

christestkey was the alias of the key I played around with, this can be anything. 

yes, POST to /privateKeys/00000000000000000000000000000002:christestkey/import is where the data comes, this is the only API call needed to do the import.  I guess the format will be the same as inside a .p12 file but I've not tested this to confirm.

yes, once imported you can export the key via PUT to /privateKeys/00000000000000000000000000000002:christestkey.  The password is an input to this API, ie you are defining it here and would be used if you import this key into another system/server. Use the GUI interface inside the policy manager to export a key and you will be prompted to define a password as well.

Let me know if you have further questions.

Christopher Clark

CA Support

Can you provide samples like this for certificates?