Layer7 API Management

Hello,

I'd like to check something with the group before I open a case...

I am interested in locking down Restman for migration users.  I planned on using a certificate to do this; however, I'm running into trouble while testing this.

I'm using the instructions from the wiki documentation here - Configure GMU and Gateways for Migration - CA API Gateway - 8.4 - CA Technologies Documentation

I am able to get through key creation, certificate export, user creation, and user certificate association successfully.  However, when I go to test my user with the associated certificate using Policy Manager, I run into trouble.  I expect to import the exported certificate into Policy Manager.  When I add the p12 file, Policy Manager complains that it cannot read the certificate:

Is this expected behavior?  Or do I need to do something else to get this to work?

I wanted to make sure I was able to login using a certificate before I moved on to using it through GMU.

Related...  To enforce login with a certificate, do I need to modify the Restman policy in any special way?  I noticed that there is a Basic Auth. assertion, do I really need that!?  The out of the box policy for Restman also has an assertion for SSL (but certificate checks are not selected).  Seems like I would need to modify it to suite my needs.  Just checking if that's safe.

Policy Manager 8.4

JDK 8

Windows, Linux, and Mac clients

Thanks!

Alejandro

Try with a .pem or .cer or .p7b file. The p12 format may not be the correct one. And with the default Restman policy, you can use either ssl or basic authentication. I don't think there is any problem is disabling basic authentication.

Regards,

Anand

anand.rudran and acalbazana,

what you need to use is the p12 file, not the certificate: the client needs to have the private key in order to sign the certificate that it will send for mutual authentication, so what you, Acalbazana did, is in theory correct, but there might be something wrong with the p12 file, you could try to export the private key again (this time using a password) and import it in the policy manager login prompt again,

Thanks

Maurizio

GARMA26, I am aware of that, I thought what acalbazana was trying to do is to upload the certificate corresponding to the p12 to the restman user to the identity provider.

Thanks,

Anand

Indeed that it correct, sorry, I misunderstood

Maurizio Garzelli

Services Architect

CA Technologies

Office: +31611025636/ 20374 | <mailto:Maurizio.Garzelli@ca.com> Maurizio.Garzelli@ca.com<mailto:Maurizio.Garzelli@ca.com>

<http://www.ca.com/us/default.aspx>  <http://twitter.com/CAInc>   <http://www.slideshare.net/cainc>   <https://www.facebook.com/CATechnologies>   <http://www.youtube.com/user/catechnologies>   <http://www.linkedin.com/company/1372?goback=.cps_1244823420724_1>   <https://plus.google.com/+CATechnologies>   <http://www.ca.com/us/rss.aspx?intcmp=footernav>

Hi acalbazana,

I am facing the same issue. I am quite sure it is a 8.4v Gateway bug, because I did not reproduce the problem with my previous 8.3 Gateway, following the exact same steps.

Could anyone else confirm my thoughts ?

Concerning RestMan authent via SSL + certificate, do not worry, this case is implemented : I would even say even more it is a best practise to use gmigration users authentified by their p12 file !

Have a nice day

I did open a support case for this.  I'll let you know what I find.

Thanks,

Alejandro

Hi acalbazana,

Do you have some news about this bug ? Did you open a case ?

Thank you

I believe this is, in fact, a defect in the product. I am not sure if the original poster is the same individual who opened up the same issue I am looking at but we do have a development incident opened for a defect in the certificate-based authentication subsystem of the Policy Manager (SSM-5180). Specifically--a private key and PKCS#12 container created by the API Gateway cannot be imported into the Certificate Manager for client authentication to the Policy Manager. We are investigating this behavior but are only able to reproduce it when using PKCS#12 keystores created by the Gateway. You can use other toolings (such as OpenSSL) to create a keystores that will work for this purpose.

Hello,

Has anyone heard of an update on this? 

Could someone explain the steps using an alternate method (using Policy Manager and OpenSSL?).  I flat out cannot use Policy Manager with a user who is required to login with a keystore generated from an 8.4 Gateway.

BTW - Is it me, or does it feel like the terminology in Policy Manager is a bit off here?  Instead of "client certificates", shouldn't it just be referred to as "keystore"?  I feel like I've seen a mix between "private key", "certificate", and "keystore" used in different contexts through this process.  It's probably just me though

Thanks!

Alejandro

Alejandro,

Our development team is still investigating this behavior as both our support and QA team have been able to reproduce the behavior. The terminology usage is sometimes intermixed based on different people view point. A PFX or P12 file is a keystore file that contains the private, public, and typically the trust CA chain.

Sincerely,

Stephen Hughes

CA Technologies
Director, CA Support
Toll-Free Phone: 1.800.225.5224 ext 48392

Outside North America: 604.235.8392
Stephen.Hughes@ca.com