Layer7 API Management

Expand all | Collapse all

Configuring mutual ssl

  • 1.  Configuring mutual ssl

    Posted Aug 11, 2015 02:23 AM

    I'm new to the layer 7 gateway. can soemone please let me know how I set about configuring Mutual SSL?

     

    thanks

    dev



  • 2.  Re: Configuring mutual ssl

    Broadcom Employee
    Posted Aug 11, 2015 11:31 AM
    1. You first need to import a public key, i.e. certificate of your backend destination into the gateway's trust store. You then need to export your gateway's certificate into your backend destination trust store.
      1. To import cert:
        1. Go to Tasks > Manage Certificates
        2. Click Add on the right
        3. Add via file, or via http connection
      2. To export cert:
        1. Go to Tasks > Manage Private Keys
        2. Click on the Private Key called "ssl" and click Properties on the right
        3. Then click View Certificate
        4. Then Click Export

                 

      

        2. You then need to create a user either in your Internal Identity Provider or another IDP, in which the username is the same name of the certificate cn. Then attach the imported certificate to that user.

      1. Click the Identity Providers tab in the top left
      2. Right click on the Internal Identity Provider and click Create User
      3. Make sure to make the user name the same name as your destination cn on your imported certificate from the backend.
      4. Make sure to check Define Additional Properties
      5. Click Create
      6. On the next screen go the Certificate tab, and import the same certificate you did from the first steps. Confirm the cn of this cert matches this user's name.

        3. You then need to make a listen port require client authentication. In my case I usually make 9443 require client auth.

      1. Go to Tasks > Manage Listen Ports
      2. Click on the Default HTTPS (9443) and click Properties on the right
      3. Go the the SSL/TLS Setting tab and make sure Client Authentication dropdown says Required.

        4. In policy, drag the "Require SSL or TLS Transport with Client Authentication" assertion. Make sure when calling this policy/endpoint you are using the port that requires client auth. Below it, drag in an "Authenticate against Internal Identity Provider" assertion, or could use Auth against User or Group and specify the certificate user.

      1. Capture.JPG

        1. Note: If going from browser to only hit a service on the gateway, then you need to import your key pair into your browser. If going to from one gateway to another, your backend gateway needs to have the Require SSL or TLS with Client Certificate Authentication. If hitting a backend service, you need to configure that backend to enforce mutual SSL using the imported certificate.


  • 3.  Re: Configuring mutual ssl

    Posted Dec 01, 2017 12:30 PM

    Hi Nathan,

     

    I am trying to use mutual between a client (ServiceNow) and API GW.

    In step 1, do I need to import ServiceNow certificate?

    In Step2, which cert should I export? API GW cert or Client cert?

    Just to confirm, In order to add certificate to the user, Shall I add the client (ServiceNow) certificate to the user?

     

    Regards,

    Peyman Hadi



  • 4.  Re: Configuring mutual ssl

    Posted May 07, 2018 11:24 PM

    Hi Nathan,

     

    I am using a third party application and want to enable mutual ssl (a call from a client to an API Gateway)

    Step 1) Do I need to import third party(client)  certificate

    Step 2) Create a user either in  IDP, in which the username is the same name of the third party(client) certificate cn

    Step 3) Click Create

    Step 4) On the next screen go the Certificate tab, and import the third party(client) certificate you did from.

    Confirm the cn of this cert matches this user's name.

     

    Can you please help me out with the steps

     

    Thanks



  • 5.  RE: Re: Configuring mutual ssl

    Posted Nov 21, 2019 11:25 AM
    Hi 
    I have follow these steps
    With simple curl request passing the client certificate and calling the api with client authentication assertion, it works (tls gone fine and the api response is 200).
    If i try with firefox browser or internet explorer i receive the following message:

    ---
    Secure Connection Failed

    An error occurred during a connection to fqdn:7443. SSL peer cannot verify your certificate. (Error code: ssl_error_bad_cert_alert)

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the web site owners to inform them of this problem.

    --

    I have import the pfx of client certificate inside the firefox personal certificate store, the root CA cert inside Server Section and also in Windows Trust Certification Store

    Also in trust store of layer 7 there is the cer client certificate.

    What could missing inside Layer 7 api service configuration ?

    Thanks in advance
    ​​


  • 6.  RE: Re: Configuring mutual ssl

    Broadcom Employee
    Posted Nov 24, 2019 07:13 PM
    Dear Fabio,
    When you call gateway on browser, was your browser popup a list to let you choose the client certificate?
    If not, it's likely the client certificate was not sent.
    On listen port properties of 7443, (policy manager -> Tasks -> Transports -> Manage Listen Ports), select "SSL/TLS Settings" tab, for option "Client Authentication", select "Required" to enforce your browser to pickup a client certificate, for default setting "Optional", your browser might/might not choose a client certificate.

    Regards,
    Mark



  • 7.  RE: Re: Configuring mutual ssl

    Posted Nov 25, 2019 03:56 AM
    Hello Zhijun
    The problem was related to the root and intermediate certificate missing in the right path of windows client cert store.
    Absolutely share your suggest and the TLS was previously configured as you indicated.

    Thanks again!


  • 8.  RE: Re: Configuring mutual ssl

    Posted Nov 21, 2019 11:25 AM
    Hi 
    I have follow these steps
    With simple curl request passing the client certificate and calling the api with client authentication assertion, it works (tls gone fine and the api response is 200).
    If i try with firefox browser or internet explorer i receive the following message:

    ---
    Secure Connection Failed

    An error occurred during a connection to fqdn:7443. SSL peer cannot verify your certificate. (Error code: ssl_error_bad_cert_alert)

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the web site owners to inform them of this problem.

    --

    I have import the pfx of client certificate inside the firefox personal certificate store, the root CA cert inside Server Section and also in Windows Trust Certification Store

    Also in trust store of layer 7 there is the cer client certificate.

    What could missing inside Layer 7 api service configuration ?

    Thanks in advance


  • 9.  Re: Configuring mutual ssl

    Posted Sep 29, 2015 10:37 PM

    Can you provide more information on what you are trying to archive.

     

    For example:

    1. Is it a call from API Gateway to another API Gateway that you want to lock down with mutual auth OR

    2. Is it a call from a client to an API Gateway that you want to lock down with mutual auth

     

    Although Nathan's response is full, you may not need to do everything suggested depending upon your need.


    Cheers



  • 10.  Re: Configuring mutual ssl

    Posted Sep 30, 2015 03:54 PM

    I am also curious about how to setup mutual auth.  Nathan's response covers Option #2 in detail, but what about Option #1?  How do you do it outbound from the gateway?



  • 11.  Re: Configuring mutual ssl

    Broadcom Employee
    Posted Sep 30, 2015 04:57 PM

    Actually doing mutual authentication gateway to gateway works the same way as I have detailed.

     

    You just need:

    • In client A's IDP/Federated IDP:
      • Client Bs username as client B's domain name
      • Client Bs certificate attatched to client B's user
    • In client B's IDP/Federated IDP:
      • Client As username as client A's domain name
      • Client As certificate attached to client A's user
    • Second Gateway needs to enforce SSL with Mutual Auth


  • 12.  Re: Configuring mutual ssl

    Posted Sep 30, 2015 05:06 PM

    So just having the certs in the internal store will cause it to use the cert for mutual auth?

     

    FYI, this isn't between two CA gateways.  This is a CA gateway outbound to a 3rd party vendor....so I have zero control or visibility to the remote side.  I am aware of the need to exchange public certs, just not aware of how to setup my gateway to send the correct certificate within the ROUTE statement.  I already have inbound Mutual working like a champ on my gateway.



  • 13.  Re: Configuring mutual ssl

    Posted Sep 30, 2015 05:11 PM

    You can configure which certificates to trust in the connection tab of the Route assertion.  From the 8.4 help documentation:

     

    To allow a subset of trusted certificates during the outbound TLS handshake, click [Trusted Server Certificates] and then select:

    • Trust all Trusted Certificate: Trust all trusted certificates presently in the Gateway trust store. For more information, see Managing Certificates.
    • Trust only the specified Trusted Certificates: Trust only the trusted certificates in the table below. Only the certificates that you define here will be trusted during the outbound TLS handshake from this routing assertion

    Note: As with all trusted certificates, the certificates in this list will be trusted only if their settings are compatible (for example, if it has been configured to be "trusted for outbound SSL").



  • 14.  Re: Configuring mutual ssl

    Posted Oct 01, 2015 09:53 AM

    Thank you all for the information.  I will be building this out in the next day or two and will see how things go.



  • 15.  Re: Configuring mutual ssl

    Broadcom Employee
    Posted Oct 01, 2015 12:03 PM

    As Monica I think stated, but i'm not seeing it in this thread... You will also need the Authenticate via Fed. IDP or Internal IDP after the Mutual SSL assertion statement. Sorry I didn't include that in my response yesterday. (You will see the same steps in my first post)



  • 16.  Re: Configuring mutual ssl

    Posted Oct 02, 2015 01:09 PM

    I have my service built and almost ready to test, but still not understanding how to control what certificate the CA gateway will hand-off on an outbound Mutual SSL Auth connection.

     

    In my Route statement, on the "Security" tab, I have selected the "Trusted Server Certificates".  But how I am reading this one, is this is the certificate to trust from the remote end, not what certificate I will use a client certificate.  So this just means that I have locked down what certificate I will accept as the Server side of the connection.

     

    What client cert will my gateway present?

     

    Please remember, my CA gateway is the Client in this scenario...not the terminating SSL server.

     

     

    CAGateway-Security.png



  • 17.  Re: Configuring mutual ssl
    Best Answer

    Broadcom Employee
    Posted Oct 02, 2015 01:15 PM

    To select the private key the gateway will use to present a client-side certificate to a backend server it is communicating with, make sure first that the private key is installed (from Policy Manager, go to Tasks->Manage Private Keys). Then, in your policy right-click on the routing assertion and choose "select Private Key"

     

    This will then allow you to define which private key to use:



  • 18.  Re: Configuring mutual ssl

    Posted Oct 02, 2015 02:28 PM

    That is exactly the detail I was looking for.  Thank you very much.