Layer7 API Management

Hi all,

Is it possible to create a policy that restricts access to a web service *either* based on the client's IP address *or* based on client certificates? I'm not fully familiar with the TLS handshake details, but my guess is that such a requirement cannot be implemented in a single policy. While reasoning about this question, I also wondered...

• at which point exactly the policy "decides" to request a client certificate from the client. Is it correct that the decision to require a client certificate must be made before the TLS handshake takes place, so right from the start, before the first policy assertion is processed or even the Require SSL or TLS Transport assertion is processed?
• Supposed that this is true, does it matter anyway where the Require SSL or TLS Transport assertion is placed in the policy?
• Is there an alternative solution than building two different services, one that restricts access solely based on client IPs and a second one that does so based on (mandatory) client certificates?

Thanks in advance.

Kind regards, Christof

Hi Christof-

This can be achieved in a single policy using a branching folder in your policy logic.  I have attached a sample policy in xml below.

-{Folder} At Least One Must Be True

   * Assertion: Require SSL with Client Certificate Authentication

   <OR>

   *Assertion: Allow Access to IP Address Range [198.176.1.0/24]

Composing Policy Logic - CA API Gateway - 9.2 - CA Technologies Documentation 

Best practice tips: Optimize the order of assertions in your policy. Since policy execution for a branch halts upon failure, put your "cheapest" or most "lightweight" assertions earlier in your policy. For example: If SSL is always required, check for it early on in your policy. Checking for SSL is very fast and it quickly discards attack attempt with non-SSL messages.

"Quick" assertions are those that simply check for the existence of certain data; examples include:

• Require SSL or TLS Transport Assertion checks whether SSL is present
• Require HTTP Basic Credential Assertion checks for basic HTTP authentication
• Require Timestamp Assertion ensures that there is a timestamp in the target message

---  SAMPLE POLICY XML ---

<?xml version="1.0" encoding="UTF-8"?>

<exp:Export Version="3.0"

    xmlns:L7p="http://www.layer7tech.com/ws/policy"

    xmlns:exp="http://www.layer7tech.com/ws/policy/export" xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy">

    <exp:References/>

    <wsp:Policy xmlns:L7p="http://www.layer7tech.com/ws/policy" xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy">

        <wsp:All wsp:Usage="Required">

            <wsp:OneOrMore wsp:Usage="Required">

                <L7p:SslAssertion>

                    <L7p:RequireClientAuthentication booleanValue="true"/>

                </L7p:SslAssertion>

                <L7p:RemoteIpAddressRange/>

                <L7p:assertionComment>

                    <L7p:Properties mapValue="included">

                        <L7p:entry>

                            <L7p:key stringValue="LEFT.COMMENT"/>

                            <L7p:value stringValue="Branch for SSL or IP"/>

                        </L7p:entry>

                    </L7p:Properties>

                </L7p:assertionComment>

            </wsp:OneOrMore>

        </wsp:All>

    </wsp:Policy>

</exp:Export>

Hi,

Thank you for your response. That was exactly the construct that we tried first. In the mean time we found out that the customer in fact didn't provide a client certificate with the request. The policy now works as desired.