Layer7 API Management

  • 1.  How do I limit policy access by client certificate?

    Posted Sep 27, 2016 03:44 PM

    I would like to create a policy that requires the request to contain a particular client certificate.

     

    I created a policy containing an assertion "Require SSL or TLS Transport with Client Certificate Authentication".  When we send a request without a certificate, the request is rejected.  It works fine with a valid certificate.  However, it appears that any valid certificate is accepted.  I would like to limit which certificates are accepted.  Ideally I would do this in the require SSL assertion.  

     

    Lacking the ability to limit the request to particular certificates, I tried to examine the certificate and match on attributes such as subject.CN.  I added an assertion "Extract Attributes from Certificate".  However, this assertion always evaluates to false.  I cannot examine the certificate even though I can only reach the assertion if the request contains a certificate.

     

    Any suggestions on why "Extract Attributes from Certificate" always evaluates to false?

     

    Is there a different approach to limiting access to a policy by certificate?



  • 2.  Re: How do I limit policy access by client certificate?

    Posted Sep 27, 2016 04:20 PM

    Hello

     

    As you have found out the assertion "Require SSL or TLS Transport with Client Certificate Authentication" will only check for a certificate.  You need to combine this with more policy logic to authenticate and or authorise it.   For example 'Authenticate Against Identify Provider' Assertion can be placed afterwards and you can match the cert to a one stored against a user in an identity provider. 

     

    There is a number of other options depending on what you are authenticating against.

     

    Regards

    Christopher Clark

    CA Support

     

     

     

     



  • 3.  Re: How do I limit policy access by client certificate?

    Posted Sep 27, 2016 05:40 PM

    Christopher,

    Thanks for the very quick response.  The scenario we would like to implement is that a request will contain a client certificate.  We do not need to require the user to log in.  You stated, "You need to combine this with more policy logic to authenticate and or authorise it."  I am looking for a mechanism to authenticate the certificate.  I thought that either of the assertions "Extract Attributes from Certificate" or "Look Up Trusted Certificate by Name" would do the trick.  However, both of those assertions always fail.  Any additional ideas? 



  • 4.  Re: How do I limit policy access by client certificate?
    Best Answer

    Posted Sep 27, 2016 05:42 PM

    Figured it out.  Needed to create a user on the internal identity provider with the same name as the certificate CN.



  • 5.  Re: How do I limit policy access by client certificate?

    Broadcom Employee
    Posted Sep 27, 2016 05:53 PM

    Jeffrey,

     

    The other option is to create a Federate Identity Provider with a user as well with the authenticate against a identity provider or user/group.

     

    Sincerely,

     

    Stephen Hughes

    Director, CA Support



  • 6.  Re: How do I limit policy access by client certificate?

    Posted Apr 05, 2018 10:12 PM

    Do we have any documentation on how to  create a user on the internal identity provider with the same name as the certificate CN.

    and how to create the certs ,private keys and sign them