Layer7 API Management

Hi 

When I try to import a private key through the REST API of Layer7

<l7:PrivateKeyImportContext xmlns:l7="http://ns.l7tech.com/2010/04/gateway-management">
 <l7:Pkcs12Data>MII...</l7:Pkcs12Data>
 <l7:Password>myPassword</l7:Password>
</l7:PrivateKeyImportContext>

I get the following error message in the audit log: 

<l7:Error xmlns:l7="http://ns.l7tech.com/2010/04/gateway-management">
 <l7:Type>ResourceAccess</l7:Type>
 <l7:TimeStamp>2016-12-23T11:07:11.152+01:00</l7:TimeStamp>
 <l7:Link rel="self" uri="https://entx02.visana.ch:8443/restman/1.0/privateKeys/00000000000000000000000000000002:f5-l7-ssl/import"/>
 <l7:Detail>Unable to read KeyStore: org.bouncycastle.asn1.DERSequence cannot be cast to org.bouncycastle.asn1.DERInteger. Caused by: org.bouncycastle.asn1.DERSequence cannot be cast to org.bouncycastle.asn1.DERInteger</l7:Detail>
</l7:Error>

Can someone give me a hint what is going wrong here?

Thanks

Stephan

Stephan,

Good evening. Would you be able to provide the following information to help isolate down the problem.

1) URI used to post the payload you outlined above

2) How was the private keystore generated?

3) Does the keystore contain both the private and public keys?

4) What version of Gateway are you using?

I've tried using a version 9.1 gateway with the URL https://<gateway FQDN>:8443/restman/1.0/privateKeys/00000000000000000000000000000002:<name of alias to be created>/import and the import worked fine.

Sincerely,

Stephen Hughes

Director, CA Support

Hi Stephen

1) Same as you mentioned (/restman/1.0/privateKeys/00000000000000000000000000000002:<alias>/import)

2) I GET /restman/1.0/privateKeys from another gateway (Version 8.3) and simply copied the content of the element "Encoded" over to the element Pkcs12Data of PrivateKeyImportContext

3) No idea (because of answer 2)

4) Version 9.1

Or is this just a version problem since I copy the data from a 8.3 gateway?

Thanks

Stephan

Stephan,

Okay I've figured out where the problem is. The movement between versions is fine and I have just tested it. The problem is by using the value in the /restman/1.0/privateKeys output that may look like below you are only seeing the public certificate not the whole private key.

.....<l7:Error xmlns:l7="http://ns.l7tech.com/2010/04/gateway-management">
   <l7:Type>ResourceAccess</l7:Type>
   <l7:TimeStamp>2016-12-23T09:49:24.625-08:00</l7:TimeStamp>
   <l7:Link rel="self" uri="https://hugst05-ssg91.ca.com:9443/restman/1.0/privateKeys/00000000000000000000000000000002:vis/import"/>
   <l7:Detail>Unable to read KeyStore: org.bouncycastle.asn1.DERSequence cannot be cast to org.bouncycastle.asn1.DERInteger. Caused by: org.bouncycastle.asn1.DERSequence cannot be cast to org.bouncycastle.asn1.DERInteger</l7:Detail>
</l7:Error>

.....

So the error that you saw I can duplicate:

If you use the certificate data from the /restman/1.0/privateKeys output
<l7:Error xmlns:l7="http://ns.l7tech.com/2010/04/gateway-management">
   <l7:Type>ResourceAccess</l7:Type>
   <l7:TimeStamp>2016-12-23T09:49:24.625-08:00</l7:TimeStamp>
   <l7:Link rel="self" uri="https://hugst05-ssg91.ca.com:9443/restman/1.0/privateKeys/00000000000000000000000000000002:vis/import"/>
   <l7:Detail>Unable to read KeyStore: org.bouncycastle.asn1.DERSequence cannot be cast to org.bouncycastle.asn1.DERInteger. Caused by: org.bouncycastle.asn1.DERSequence cannot be cast to org.bouncycastle.asn1.DERInteger</l7:Detail>
</l7:Error>

/restman/1.0/privateKeys/00000000000000000000000000000002:vis/export

To do this so that the private key and public keys are pulled you need to run do the following:

1) Inbound Request

URI = /restman/1.0/privateKeys/00000000000000000000000000000002:vis/export

HTTP Method = PUT

Request message:

<l7:PrivateKeyExportContext xmlns:l7="http://ns.l7tech.com/2010/04/gateway-management">
        <l7:Password>7layer]</l7:Password>
</l7:PrivateKeyExportContext>

2) Extract the Pkcs12Data element from the response:
<l7:Item xmlns:l7="http://ns.l7tech.com/2010/04/gateway-management">
   <l7:Name>00000000000000000000000000000002:vis Export</l7:Name>
   <l7:Id>00000000000000000000000000000002:vis</l7:Id>
   <l7:Type>PrivateKeyExportResult</l7:Type>
   <l7:TimeStamp>2016-12-23T09:43:26.440-08:00</l7:TimeStamp>
   <l7:Link rel="self" uri="https://hugst05-ssg83.ca.com:9443/restman/1.0/privateKeys/00000000000000000000000000000002:vis/export"/>
   <l7:Link rel="privateKey" uri="https://hugst05-ssg83.ca.com:9443/restman/1.0/privateKeys/00000000000000000000000000000002:vis"/>
   <l7:Resource>
      <l7:PrivateKeyExportResult>
         <l7:Pkcs12Data>MIACAQMwgAYJKoZIhvcNAQcBoIAkgASCA+gwgDCABgkqhkiG9w0BBwGggCSABIID6DCCBU0wggVJBgsqhkiG9w0BDAoBAqCCBPowggT2MCgGCiqGSIb3DQEMAQMwGgQUzHKJJh8CbEkwXk/9OVC12YSJ1LkCAgQABIIEyCmajZyOh+KAvM07dFH+dylBZt3bGaG4hc6KSENmB3myPTfCvGTbYnGYpltuW8yfJsCQxtNyq8mdX+UvA6T3GmTC7NFqy+Jsknf2IWyLsFO0+GbPjOCEFbqNLTVFFgZFwE7ultt4Bw9yXLa6omwxu+n+gGjm1xn8CKUi2eZkxi4gzPI+VnHHx945cqgTWc8txszxVwOBqN36wnSe65KVnyxzL1AEHjIj7i5g6MjM8rQ55CPBqcGfty38yzCtPH5bkDlYSKXe1sP2YA6ZtBovQvNTqE8U2BEQeWFun3U0Io7dqoj0/U4I1uqAsSKVimBUVWD73NhnNDQvKqz+gl44p+iTXvVkJ6ao8RzNE6q4RkHLPYtB/KGQCpXJ/REl+NHEjy7fRUcfFRSups4dRJBnBK0qpxK+KtmM55HJAX4qSfxIUBuf8+Z79fzYg1gujaaz9a1z+wOJtBR5FFhDhEp8krLHKSwkhMERjAt4S2bNkc9F7yQ834dxkRVkUMmFCyQ6D0v0tPyngYK7s/xzjihvLOjfwDDuqo0TEdAHUOr6tRNPKv1bU5ON0wT19/o9dsde60mkNdOezkIpvCY6QdVLGlaXS8Vscr3tJj85htk//zBZFRGnyrMUxj93z0cyzXrTS5mxwYmILQVPnwtJBKPg6B+aaiu9WTbBemmpu69yTV6Ssu9+D0JrkSegczq3hefOlfA0hiyJ2kQ+qcvomkBW8vTE1pfrpm//wl5dNOb9SFNcNdS3GcAk1wvhEGrp9WgqOKws6ovy5RW1tM+haQVRouUQzmIEfDEr4vvHYIwfuLv9JbzqGSBh6corNJFNaLCdplqaS9OWv82hDlmZUgMVvfqogZnMLU85/V4wlw1fRUpVdpA4Pi7nVLBesXpQg0vRaYpl7g29TLBOH0GOpkNijbx9czsARNa2Kuh7LKXizg38ntUb+bst64HAItVloEphylUASOybDry5Rfqz9nLrntdQb2qSEN0Y9p+HJxdaWiXSvDTCyx8m0axuIxfRrCd8QLImLDIneZCNNZ1S5Aqumfx8Az/tfoy6fX23HGQQXUOBQMbzt5d9dedWvU/WP5QI1Gv5pyYBIRNvp2mHllO2yj1P9SLj7tznlVLDbzYtgCgoQr72LjCKVNkkLN+xxhv7Lo8eul54RpBcON6jo2doBC/gJKdPsGq5Ii1VnNR2uM3R5onq+14aBIID6EEfHXPVqdGgQ/19gEw7D5wrZ1HR7HvBBIIBaUsIJE+KZutxGdGTm6+KAn3fPGfvRiJZAzSs7SLZg5e+EoSTYCHsrPDMAmgAgllX2WjaNv1TMGO6jFhKqMRWtjiSl3Dwjvi8l4yuPsOEgSAg3MC8zxQVWeKrD6MnEzS7npYlC2OCfkoBxRc7mFLlH/6gUwxobnNTplxa+CpQ1pkYklgq4jvHJy3XeXIgFAbDFCIEaHShq5zSdhUDt9KWbJJjPyBPustBpTdJM92W9FhN+TAT6WrxGFl4+msQlwuTBQ7hPclRk/FT6SNuWepdxJw3tQLqL7nvvetL7RxFLd+wr1/31axjgyv/mmMDCvoLuXWfXEbWXZ9mFD4ND8G0w+rOzVcDaZOPQl1ivIhbAXIP1DnOdQyo2ieS0CwhLub1V5QgufFMXC2r8WLbMTwwFQYJKoZIhvcNAQkUMQgeBgB2AGkAczAjBgkqhkiG9w0BCRUxFgQUzbU2AuQjpu6bX8Dlp8Mi1mM/DQ8AAAAAAAAwgAYJKoZIhvcNAQcGoIAwgAIBADCABgkqhkiG9w0BBwEwKAYKKoZIhvcNAQwBBjAaBBSnVJf7kvCpR4ocBPtttOqIC0dO0gICBACggASCA1iFpEgte9Ai05l85IPzk4/FfptqBy7nx4kH2kkmLPSOlbXZ1+a90SpqJDxqwc3WKZyEcyugi9lipLjDn/ZC9JwmDuYphEJ7GeK1RiNfyQKQpJ8NbczXPjbPJnJlfYW/zo+zOm4J+Kh+ccNaBok4jOaR86ug1V73NKazldBOMd/NAjVtppQZSEuL47GOswN/iZNLeUqrKsaxf3lghGLSyitw46AlzHYXu0DM8k6RkrGlDGa1WPxhQh7ni4ExNJklnPsHATm878wJbSoeC5zo31IaNvFKac63rDl8M8/9NR2Yt/L6FzQ0ZxNPD9rpNO0kTLF5gdGxuzk0vvZ1gWXhZaBQr0fRe3f+LtjY3mgqZgdU/uq7ESUn+Ch1qoVHeJDSjsNZk8g6EXkrHHe3r+aEHcaEGt6p1jbcv4+8iMcI5LU8fYKBYLsbLLqnzKah+g8bhCLZQVi+oc+HGiewMocQ/IO23H1XMb4aJOEqnqaRmcWgB2Yux8TUKolFgZ7Y49btCeME2UzPfecnujSMAvQHhtLua3GILxm0OreSg89LjnJc8noi+bVxlzy+ObcqfhiwkolOv/OhqGH/kEbfKMxZt4C0b2kURygYbr7CMhoeTyacBJMBIjJirBBrtb2pPNEkxovP763ruxzNe1dyLfDEkTyxxbAP2k6BdwVrbjy7L3/nkogge/N7iAZ7i+mz67YEggFX49tBTGpR6OwkY62o2tMCPy24M0kIcpbQgO083Hi5Jf9QOC7+FoHXcdj2LYHY2c9OmCTgmG+yHu9/trtECpHMeNq7RTHA4bMTK74sBxz6ZZnZPVGVti4KsBX+CwEkZRph/T4OcGeAltLnmQgi7g3Vu7OuiZRH6aFLz6W/zqlahfKaVs6S2Wuba3pnX4pLNrt/pjSmIx9IVFIQPg/uRJGw+1V/yC9Xr15peURcOqKg4oTkkb/3K9FKdFBVquQ4JMuqI5yZzHV4moK5U2Vj0WHptZFn9eiYBfphTL1tWPcg0Qd+dgeU4ErcQu9Wzpjg2HDN5UmUzSPAuZ2xNvABnWayluCwBe+lHJW6zffon2z96q0/U+LGsz0ji1sHudcRkY6vTuaQjyl0VXignU3zcw5xldGopU2g2GYFecQduskLoc6a676vKAR4X+ly2wAAAAAAAAAAAAAAAAAAAAAAADA9MCEwCQYFKw4DAhoFAAQUYzPyzqMz54ommIKgUyQXIvzHI/0EFPyhIbGXOmginnMAZHCCWOie297eAgIEAAAA</l7:Pkcs12Data>
      </l7:PrivateKeyExportResult>
   </l7:Resource>
</l7:Item>

3) Import the private key using the following:

URI = /restman/1.0/privateKeys/00000000000000000000000000000002:vis/import

HTTP Method = POST

Request message:

<l7:PrivateKeyImportContext xmlns:l7="http://ns.l7tech.com/2010/04/gateway-management">
    <l7:Pkcs12Data>MIIC4TCCAcmgAwIBAgIJANxuJJkHSJDQMA0GCSqGSIb3DQEBDAUAMA4xDDAKBgNVBAMTA3ZpczAeFw0xNjEyMjMxNjM1MThaFw0yMTEyMjIxNjM1MThaMA4xDDAKBgNVBAMTA3ZpczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAISHYmkg1/+WezyMLw3m9VrHGZf+t7HWUGUgcXEQLL84PBuAe7zLuKzAqAb83BzGrbODf/rYZboD70dyTJz8x4n3DjhZjMmLYR140Kwohr2eD0Dy9nu16Og9RKC6ccob8Do17puHivrZ6jQ6B3167VCeEs9nMITdxCOziDSXQSgNMQMnCIs3NLjvGlH1JBDUzfjg39Dr+LdBH9l7ZGVRilIVNrPY3cUJsZFHeO1bkT+as4wz0Rh9kNbGRNioXblr//h1GcRZtWLv1YUXEAFu7AP/CgEgf8X8iRLsF7ySJbNrhS9DWH/dgED9jhkK8nHMimPNdaPVeibYOjMGQJdXF8kCAwEAAaNCMEAwHQYDVR0OBBYEFM21NgLkI6bum1/A5afDItZjPw0PMB8GA1UdIwQYMBaAFM21NgLkI6bum1/A5afDItZjPw0PMA0GCSqGSIb3DQEBDAUAA4IBAQAn2CZjgkKCMRUSS69H293kwFuCyAZAmcGUgFqykQf3HaF211otVuu9tn00gnYEVP0x4yBoNU8PteLeYta+7AMsndJh/hIX2z0gKtLSsIcpc7nVsjiM7lZL+UpMC0pKKkfx8CDE6xvlJa6cz1nUqkG9HyeKJRxIZjg6m5JSwSCZGUlfw3EWSCWElYjV+PpOjL9jgaBcTkzoQsdzAYG65tZ1d5ctESpR16RCYgEeCjyqkLLnyGgaztzPvqYk/KCEDa+3z5PmObcyiHRPtsis9U+g7WGUA+TOpdIHELNRJ2dp7mm0aebYazWUmteDgUXqu5OHboUPx+z+OzYSa3e7ftrD</l7:Pkcs12Data>
    <l7:Password>7layer]</l7:Password>
</l7:PrivateKeyImportContext>

If you use the wrong password for the export in the import statement you will see:
<l7:Error xmlns:l7="http://ns.l7tech.com/2010/04/gateway-management">
   <l7:Type>ResourceAccess</l7:Type>
   <l7:TimeStamp>2016-12-23T09:47:25.400-08:00</l7:TimeStamp>
   <l7:Link rel="self" uri="https://hugst05-ssg91.ca.com:9443/restman/1.0/privateKeys/00000000000000000000000000000002:vis/import"/>
   <l7:Detail>PKCS12 key store mac invalid - wrong password or corrupted file.</l7:Detail>
</l7:Error>

Sincerely,

Stephen Hughes

Director, CA Support

Hi Stephen

Excellent answer, thank you very much!

Regards

Stephan