Layer7 API Management

Hi,

We're trying to automatically import privateKeys on our appliances through RESTman.

privateKeys/{id}/import doesn't seems to work on the following situations:;

1) we already have a private key with id "00000000000000000000000000000002:apisbox1-eu", import failswith error msg: java.security.KeyStoreException: Keystore already contains an entry with the alias 'apisbox1-eu'. Caused by: Keystore already contains an entry with the alias 'apisbox1-eu'.

Sounds reasonable.

2) Now let's remove this entry and import a new one with privateKeys. We then get:

Resource not found 00000000000000000000000000000002:apisbox1-eu

What's puzzling is that we can indeed import a pfx file through Policy Manager (after removing existing one).

What are we doing wrong here ?

privateKeys/{id}/import is used to update a key that already exists. When you say you 'remove' the entry, I'm assuming you are deleting the key from the keystore through the Policy Manager(or possible doing a delete through restman). Either way, the key is no longer in the keystore, so you cannot import anything to it. You would now need to use the 'Create Resource' function of restman and POST to privateKeys/{id}.

privateKeys/{id}/import is used to update a key that already exists.

Yes, that's what we're trying with option 1). Doesn't work.

java.security.KeyStoreException: Keystore already contains an entry with the alias 'apisbox1-eu'. Caused by: Keystore already contains an entry with the alias 'apisbox1-eu'.

Request:

/usr/bin/curl -k -X POST -H 'Accept: application/xml' -H 'Content-Type: application/xml' -u 'the_user:the_password' --cacert /etc/pki/tls/private/CA_chain.pem https://apisbox1-eu.sanofi.com:7443/restman/1.0/privateKeys/00000000000000000000000000000002:apisbox1-eu/import -d @/var/tmp/importPrivateKey39251.xml

Request data in /var/tmp/importPrivateKey39251.xml:

<l7:PrivateKeyImportContext xmlns:l7="http://ns.l7tech.com/2010/04/gateway-management">
<l7:Pkcs12Data>MIIS2Q.......</l7:Pkcs12Data>
<l7:Password>the_password</l7:Password>
</l7:PrivateKeyImportContext>

Good evening,

I've been testing this out and found that the POST for import can only be used to import in new Private keys into the gateway but does not provide the functionality to do an in place change. This will need to be an addition to the product so please log an idea for this.

I have tested your other flow where the key is deleted and re-imported. I was able to get this to work successfully on a 9.1 Gateway by doing

DELETE https://hugst05-ssg91.ca.com:8443/restman/1.0/privateKeys/00000000000000000000000000000002:foo

then

POST https://hugst05-ssg91.ca.com:8443/restman/1.0/privateKeys/00000000000000000000000000000002:foo/import

<l7:PrivateKeyImportContext xmlns:l7="http://ns.l7tech.com/2010/04/gateway-management">
    <l7:Pkcs12Data>MIACAQM...IEAAAA</l7:Pkcs12Data>
    <l7:Password>password</l7:Password>
</l7:PrivateKeyImportContext>

Sincerely,

Stephen Hughes

Director, CA Support

I was successfully able to update a certificate chain using restman for a Private Key that already existed in my gateway. Apologies, I was incorrect in my previous post by including 'import' in the uri. Please also note that you need to do a PUT to update an existing key, in contrast to doing a POST to import a new one. Here is what I had to do:

1) Export the existing Private Keys by doing a GET on:
https://petwi04-ssg920-1:8443/restman/1.0/privateKeys

2) Extract the XML within the <l7:PrivateKey> tag for the Private Key that you want to modify("democlient" in my example)

3) Add the xmlns reference to the first line of the XML. Mine looked like this:

<l7:PrivateKey alias="democlient" keystoreId="00000000000000000000000000000002" id="00000000000000000000000000000002:democlient" xmlns:l7="http://ns.l7tech.com/2010/04/gateway-management">

4) Modify the XML to reflect the change you want to make. I removed a certificate from the certificate chain by editing out everything(including the tags) from one of the <l7:CertificateData></l7:CertificateData> entries

5) Do a PUT to the '1.0/privateKeys/{id}' uri using the modified XML as the payload. This is the full URL I used:

https://petwi04-ssg840-1.ca.com:8443/restman/1.0/privateKeys/00000000000000000000000000000002:democlient

The end result here was that the certificate I manually edited out of the XML for this Private Key was removed from the Certificate Chain when I viewed the Private Key in the Policy Manager.

Hi Bill,

i used the below request to import a private key. post method to https://localhost:8443/restman/1.0/privateKeys/00000000000000000000000000112:sph/import and 

https://localhost:8443/restman/1.0/privateKeys/000000000000000000000000112:skh/specialPurpose?purpose=SSL to make it as default key which worked.

request :

<l7:PrivateKeyImportContext xmlns:l7="http://ns.l7tech.com/2010/04/gateway-management">
<l7:Pkcs12Data>
CK56uaqGCNc7AgIIAA==</l7:Pkcs12Data>
<l7:Password>password</l7:Password>
</l7:PrivateKeyImportContext>

I am trying to update the private key with put method on https://localhost:8443/restman/1.0/privateKeys/0000000000000000000000000112 but i get an error.  i am not sure where i am going wrong.

Good evening,

Did you do a get first to obtain the data to then modify and upload again? The instructions that Bill put forward is to replace a certificate chain in a private key not upload an in place private key.

Sincerely,

Stephen Hughes

Broadcom Support

Hi Stephen,

I am trying to upload an in place private key. can we upload like this through restman calls?

Thanks,

Spal

Spal,

It was mentioned in the post higher up that an in place replacement of the private key is not currently supported so you will need to delete and recreate or replace just the certificate chain if the private key has not changed.

Sincerely,

Stephen Hughes

Broadcom Support 

Thank you Stephen.