Layer7 API Management

Hello Everyone,

I am trying to create a certificate without logging into the Policy Manager. I am hitting the RESTMAN API service : https://gateway-name:8443/restman/1.0/trustedCertificates  via SOAP UI. I am selecting the POST method so that I can fetch the XML code but when I am hitting its giving me some Bad Request. Below is the sample I am hitting:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<l7:TrustedCertificate xmlns:l7="xyz some values i got">

<l7:Name>NewCertName</l7:Name>

<l7:CertificateData>

               <l7:IssuerName></l7:IssuerName>

               <l7:SubjectName></l7:SubjectName>

               <l7:Encoded></l7:Encoded>

</l7:CertificateData>

</l7:TrustedCertificate>

Please let me know If I am correct or not. If not then please suggest the correct XML code as I am not well versed with XML.

If I am correct then please let me know how I will collect the IssueName, SubjectName and Encoded details.

The above details we can take from created certs ?

Pratyush,

The trusted certificates resource is used to manage certificates that the gateway will trust for outbound HTTP connections and Trusted list for inbound SSL connections when version 1.1 or 1.2 of TLS is used. The resource that will create a new private key is privateKeys. 

Excerpt from the https://<gateway node/cluster name>:8443/restman/1.0/doc/restDoc.html#1.0/privateKeys documentation:

 <l7:PrivateKeyCreationContext xmlns:l7="http://ns.l7tech.com/2010/04/gateway-management">      <l7:Dn>CN=srcAlias</l7:Dn>      <l7:Properties>          <l7:Property key="signatureHashAlgorithm">              <l7:StringValue>SHA384</l7:StringValue>          </l7:Property>          <l7:Property key="rsaKeySize">              <l7:IntegerValue>516</l7:IntegerValue>          </l7:Property>          <l7:Property key="ecName">              <l7:StringValue>secp384r1</l7:StringValue>          </l7:Property>          <l7:Property key="daysUntilExpiry">              <l7:IntegerValue>2</l7:IntegerValue>          </l7:Property>          <l7:Property key="caCapable">              <l7:BooleanValue>true</l7:BooleanValue>          </l7:Property>      </l7:Properties>  </l7:PrivateKeyCreationContext>  

Hi Stephan ,

need small help regarding trust certificate configuration using restman client, I want to validate CRL (certificate revocation list ) for incoming request to the gateway .I know manually how we can do using policy manager but struggling with restman . Can you please help here .

using Policy manager I am enabling certificate revocation  as below .

Thanks!

Prashant Srivastava

Prashant,

The three settings that you have outlined for the Certificate Validation Options are controlled within the

Cluster Wide Properties (CWP). By default a CWP does not exist as it will take the default validate option but once created it will create a permanent CWP entry that will need to use the PUT option to update.

Sample of modifying the Certificate Validation Options:

HTTP Method: POST/PUT

URI to use: /restman/1.0/clusterProperties

Available options for the value:
validate
validatepath
revocation

<l7:ClusterProperty xmlns:l7="http://ns.l7tech.com/2010/04/gateway-management">
<l7:Name>pkix.validation.other</l7:Name>
<l7:Value>revocation</l7:Value>
</l7:ClusterProperty>

<l7:ClusterProperty xmlns:l7="http://ns.l7tech.com/2010/04/gateway-management">
<l7:Name>pkix.validation.routing</l7:Name>
<l7:Value>revocation</l7:Value>
</l7:ClusterProperty>

<l7:ClusterProperty xmlns:l7="http://ns.l7tech.com/2010/04/gateway-management">
<l7:Name>pkix.validation.identityProvider</l7:Name>
<l7:Value>revocation</l7:Value>
</l7:ClusterProperty>

Sample of creating a Revocation Policy

HTTP Method: POST/PUT

URI to use: /restman/1.0/revocationCheckingPolicies

Payload:

<l7:RevocationCheckingPolicy xmlns:l7="http://ns.l7tech.com/2010/04/gateway-management">
<l7:Name>CRL from URL2</l7:Name>
<l7:DefaultPolicy>false</l7:DefaultPolicy>
<l7:ContinueOnServerUnavailable>false</l7:ContinueOnServerUnavailable>
<l7:DefaultSuccess>false</l7:DefaultSuccess>
<l7:RevocationCheckItems>
<l7:Type>CRL from URL</l7:Type>
<l7:Url>http://crl.ca.com</l7:Url>
<l7:AllowIssuerSignature>true</l7:AllowIssuerSignature>
<l7:TrustedSigners>69e22f4c815a7c4aa5910ecfbbdc4dd9</l7:TrustedSigners>
</l7:RevocationCheckItems>
</l7:RevocationCheckingPolicy>

Sincerely,

Stephen Hughes

Director, CA Support

Thank you Stephen for providing detail step!!

I have created clusterwide property pkix.validation.other ,pkix.validation.routing and pkix.validation.identityProvider to control revocation checking for Identity provider ,routing and other .

now  I have set all three attribute value as revocation using restman.

But its failing now for all valid certificate as well . I have verified all cert present in the manage cert ,its property signing client cert and trust anchor already selected

Error message :

2018-01-23T07:35:49.644+0100 INFO 772 com.l7tech.server.policy.assertion.ServerSslAssertion: 4114: Found client

certificate for CN=******S***** CA 1, OU=** 017, OU=CA, O=***, C=XX

2018-01-23T07:35:49.644+0100 WARNING 772 com.l7tech.server.identity.fed.FederatedIdentityProviderImpl: 2034: Unable

to build path for Certificate CN=Prashant SrivastavaOU=people, OU=CA, O=***, C=XX: unable to find val

id certification path to requested target; related error(s) [Revocation check failed for certificate 'CN=Prashant S

rivastava (XX), OU=people, OU=XX, O=XX, C=XX.]

Thanks!

Prashant Srivastava

Prashant,

This was another Community post that could help. How to validate user certificate using a CRL? 

Sincerely,

Stephen Hughes

Director, CA Support

Thank you for your help stephen !!

I have gone through provided community link, user said there issue resolved after raising case with ca support but no more info there. Please help .