I'm new to the layer 7 gateway. can soemone please let me know how I set about configuring Mutual SSL?
To select the private key the gateway will use to present a client-side certificate to a backend server it is communicating with, make sure first that the private key is installed (from Policy Manager, go to Tasks->Manage Private Keys). Then, in your policy right-click on the routing assertion and choose "select Private Key"
This will then allow you to define which private key to use:
2. You then need to create a user either in your Internal Identity Provider or another IDP, in which the username is the same name of the certificate cn. Then attach the imported certificate to that user.
3. You then need to make a listen port require client authentication. In my case I usually make 9443 require client auth.
4. In policy, drag the "Require SSL or TLS Transport with Client Authentication" assertion. Make sure when calling this policy/endpoint you are using the port that requires client auth. Below it, drag in an "Authenticate against Internal Identity Provider" assertion, or could use Auth against User or Group and specify the certificate user.
I am trying to use mutual between a client (ServiceNow) and API GW.
In step 1, do I need to import ServiceNow certificate?
In Step2, which cert should I export? API GW cert or Client cert?
Just to confirm, In order to add certificate to the user, Shall I add the client (ServiceNow) certificate to the user?
I am using a third party application and want to enable mutual ssl (a call from a client to an API Gateway)
Step 1) Do I need to import third party(client) certificate
Step 2) Create a user either in IDP, in which the username is the same name of the third party(client) certificate cn
Step 3) Click Create
Step 4) On the next screen go the Certificate tab, and import the third party(client) certificate you did from.
Confirm the cn of this cert matches this user's name.
Can you please help me out with the steps
Can you provide more information on what you are trying to archive.
1. Is it a call from API Gateway to another API Gateway that you want to lock down with mutual auth OR
2. Is it a call from a client to an API Gateway that you want to lock down with mutual auth
Although Nathan's response is full, you may not need to do everything suggested depending upon your need.
I am also curious about how to setup mutual auth. Nathan's response covers Option #2 in detail, but what about Option #1? How do you do it outbound from the gateway?
Actually doing mutual authentication gateway to gateway works the same way as I have detailed.
You just need:
So just having the certs in the internal store will cause it to use the cert for mutual auth?
FYI, this isn't between two CA gateways. This is a CA gateway outbound to a 3rd party vendor....so I have zero control or visibility to the remote side. I am aware of the need to exchange public certs, just not aware of how to setup my gateway to send the correct certificate within the ROUTE statement. I already have inbound Mutual working like a champ on my gateway.
You can configure which certificates to trust in the connection tab of the Route assertion. From the 8.4 help documentation:
To allow a subset of trusted certificates during the outbound TLS handshake, click [Trusted Server Certificates] and then select:
Note: As with all trusted certificates, the certificates in this list will be trusted only if their settings are compatible (for example, if it has been configured to be "trusted for outbound SSL").
Thank you all for the information. I will be building this out in the next day or two and will see how things go.
As Monica I think stated, but i'm not seeing it in this thread... You will also need the Authenticate via Fed. IDP or Internal IDP after the Mutual SSL assertion statement. Sorry I didn't include that in my response yesterday. (You will see the same steps in my first post)
I have my service built and almost ready to test, but still not understanding how to control what certificate the CA gateway will hand-off on an outbound Mutual SSL Auth connection.
In my Route statement, on the "Security" tab, I have selected the "Trusted Server Certificates". But how I am reading this one, is this is the certificate to trust from the remote end, not what certificate I will use a client certificate. So this just means that I have locked down what certificate I will accept as the Server side of the connection.
What client cert will my gateway present?
Please remember, my CA gateway is the Client in this scenario...not the terminating SSL server.
That is exactly the detail I was looking for. Thank you very much.
Retrieving data ...