I'm new to the layer 7 gateway. can soemone please let me know how I set about configuring Mutual SSL?
thanks
dev
- You first need to import a public key, i.e. certificate of your backend destination into the gateway's trust store. You then need to export your gateway's certificate into your backend destination trust store.
- To import cert:
- Go to Tasks > Manage Certificates
- Click Add on the right
- Add via file, or via http connection
- Go to Tasks > Manage Certificates
- To export cert:
- Go to Tasks > Manage Private Keys
- Click on the Private Key called "ssl" and click Properties on the right
- Then click View Certificate
- Then Click Export
- To import cert:
2. You then need to create a user either in your Internal Identity Provider or another IDP, in which the username is the same name of the certificate cn. Then attach the imported certificate to that user.
- Click the Identity Providers tab in the top left
- Right click on the Internal Identity Provider and click Create User
- Make sure to make the user name the same name as your destination cn on your imported certificate from the backend.
- Make sure to check Define Additional Properties
- Click Create
- On the next screen go the Certificate tab, and import the same certificate you did from the first steps. Confirm the cn of this cert matches this user's name.
3. You then need to make a listen port require client authentication. In my case I usually make 9443 require client auth.
- Go to Tasks > Manage Listen Ports
- Click on the Default HTTPS (9443) and click Properties on the right
- Go the the SSL/TLS Setting tab and make sure Client Authentication dropdown says Required.
4. In policy, drag the "Require SSL or TLS Transport with Client Authentication" assertion. Make sure when calling this policy/endpoint you are using the port that requires client auth. Below it, drag in an "Authenticate against Internal Identity Provider" assertion, or could use Auth against User or Group and specify the certificate user.
- Note: If going from browser to only hit a service on the gateway, then you need to import your key pair into your browser. If going to from one gateway to another, your backend gateway needs to have the Require SSL or TLS with Client Certificate Authentication. If hitting a backend service, you need to configure that backend to enforce mutual SSL using the imported certificate.
Hi Nathan,
I am trying to use mutual between a client (ServiceNow) and API GW.
In step 1, do I need to import ServiceNow certificate?
In Step2, which cert should I export? API GW cert or Client cert?
Just to confirm, In order to add certificate to the user, Shall I add the client (ServiceNow) certificate to the user?
Regards,
Peyman Hadi
Hi Nathan,
I am using a third party application and want to enable mutual ssl (a call from a client to an API Gateway)
Step 1) Do I need to import third party(client) certificate
Step 2) Create a user either in IDP, in which the username is the same name of the third party(client) certificate cn
Step 3) Click Create
Step 4) On the next screen go the Certificate tab, and import the third party(client) certificate you did from.
Confirm the cn of this cert matches this user's name.
Can you please help me out with the steps
Thanks
- You first need to import a public key, i.e. certificate of your backend destination into the gateway's trust store. You then need to export your gateway's certificate into your backend destination trust store.
Can you provide more information on what you are trying to archive.
For example:
1. Is it a call from API Gateway to another API Gateway that you want to lock down with mutual auth OR
2. Is it a call from a client to an API Gateway that you want to lock down with mutual auth
Although Nathan's response is full, you may not need to do everything suggested depending upon your need.
CheersI am also curious about how to setup mutual auth. Nathan's response covers Option #2 in detail, but what about Option #1? How do you do it outbound from the gateway?
Actually doing mutual authentication gateway to gateway works the same way as I have detailed.
You just need:
- In client A's IDP/Federated IDP:
- Client Bs username as client B's domain name
- Client Bs certificate attatched to client B's user
- In client B's IDP/Federated IDP:
- Client As username as client A's domain name
- Client As certificate attached to client A's user
- Second Gateway needs to enforce SSL with Mutual Auth
So just having the certs in the internal store will cause it to use the cert for mutual auth?
FYI, this isn't between two CA gateways. This is a CA gateway outbound to a 3rd party vendor....so I have zero control or visibility to the remote side. I am aware of the need to exchange public certs, just not aware of how to setup my gateway to send the correct certificate within the ROUTE statement. I already have inbound Mutual working like a champ on my gateway.
You can configure which certificates to trust in the connection tab of the Route assertion. From the 8.4 help documentation:
To allow a subset of trusted certificates during the outbound TLS handshake, click [Trusted Server Certificates] and then select:
- Trust all Trusted Certificate: Trust all trusted certificates presently in the Gateway trust store. For more information, see Managing Certificates.
- Trust only the specified Trusted Certificates: Trust only the trusted certificates in the table below. Only the certificates that you define here will be trusted during the outbound TLS handshake from this routing assertion
Note: As with all trusted certificates, the certificates in this list will be trusted only if their settings are compatible (for example, if it has been configured to be "trusted for outbound SSL").
Thank you all for the information. I will be building this out in the next day or two and will see how things go.
As Monica I think stated, but i'm not seeing it in this thread... You will also need the Authenticate via Fed. IDP or Internal IDP after the Mutual SSL assertion statement. Sorry I didn't include that in my response yesterday. (You will see the same steps in my first post)
- In client A's IDP/Federated IDP:
I have my service built and almost ready to test, but still not understanding how to control what certificate the CA gateway will hand-off on an outbound Mutual SSL Auth connection.
In my Route statement, on the "Security" tab, I have selected the "Trusted Server Certificates". But how I am reading this one, is this is the certificate to trust from the remote end, not what certificate I will use a client certificate. So this just means that I have locked down what certificate I will accept as the Server side of the connection.
What client cert will my gateway present?
Please remember, my CA gateway is the Client in this scenario...not the terminating SSL server.
- 2 people found this helpful
To select the private key the gateway will use to present a client-side certificate to a backend server it is communicating with, make sure first that the private key is installed (from Policy Manager, go to Tasks->Manage Private Keys). Then, in your policy right-click on the routing assertion and choose "select Private Key"
This will then allow you to define which private key to use:
That is exactly the detail I was looking for. Thank you very much.
To select the private key the gateway will use to present a client-side certificate to a backend server it is communicating with, make sure first that the private key is installed (from Policy Manager, go to Tasks->Manage Private Keys). Then, in your policy right-click on the routing assertion and choose "select Private Key"
This will then allow you to define which private key to use: