Layer7 API Management

  • Private Community

  • 1.  How can we retrieve X-509 certificates from different LDAP properties

    Posted Sep 25, 2017 05:22 AM

    After publishing a new root CA, the (external) LDAP owner updated the LDAP definition. X-509 certificates of the new root CA are placed in a property: 'crossCertificatePair'. The existing root CA's have a property 'userCertificate' that holds the X-509 certificate. we created a new LDAP definition where the property definition is changed te reflect tre new value. The API Gateway version 9.2 cannot retrieve the new root CA certificates. The log shows:

    35074 com.l7tech.security.xml.processor.WssProcessorImpl: Could not find certificate for issuer 'issuer', serial 'serialno'.

    For the existing root CA's the X-509 certificates can be retrieved.

     

    How can we udate/fix this?

     

    Peter Oomen.



  • 2.  Re: How can we retrieve X-509 certificates from different LDAP properties

    Broadcom Employee
    Posted Sep 25, 2017 01:57 PM

    Peter,

     

    I would look at 2 components of this as to the storage of the attribute in the LDAP server in regards to the attribute schema and the value stored, and then how the configuration is set in the LDAP configuration of the Gateway. Please confirm the schema and the value that is stored in that attribute matches the format and for the LDAP config look to use crossCertificatePair;binary.

     

    Sincerely,

     

    Stephen Hughes

    Director, CA Support



  • 3.  Re: How can we retrieve X-509 certificates from different LDAP properties

    Posted Sep 27, 2017 03:03 AM

    Hi Stephen,

    Thank you for this reply.

    We created a second LDAP Identioty Provider (IDP) with the correct property that holds the X-509 certificate.

    Now the original IDP shows the X-509 certificate for the records with the userCertificate;binary proeprty, but not the new records with the crossCertificatePair;binary. This new LDAP IDP shows the X-509 certificate for the new records, but obviously not for the 'old' records.

    It was our believe that the indexing of the certificates (com.l7tech.server.identity.ldap.LdapCertificateCache) would enable getting the X-509 certificates from both properties.

     

    Did we miss a configuration setting?

     

    Regards,

     

    Peter Oomen.



  • 4.  Re: How can we retrieve X-509 certificates from different LDAP properties

    Broadcom Employee
    Posted Sep 27, 2017 02:25 PM

    Peter,

     

    The indexing for certificate is limited to each Identity Provider not an overall index for all Identity Providers even though they both point to the same LDAP server environment. In your policy do you only have the one Identity Provider or both in a one or more branch? Having both may find the correct certificate.

     

    Sincerely,

     

    Stephen Hughes

    Director, CA Support



  • 5.  Re: How can we retrieve X-509 certificates from different LDAP properties

    Posted Sep 28, 2017 08:40 AM

    Hi Stephen,

     

    We do not use an IDP to get the certificate. We use a Look Up Certificate assertion.

    It looks like this assertion uses the userCertificate;binary property to get the certificate.

     

    The "O =" value for the new G3 certificates has changed. Can this be of influence?

     

    Regards,

     

    Peter Oomen.



  • 6.  Re: How can we retrieve X-509 certificates from different LDAP properties
    Best Answer

    Broadcom Employee
    Posted Sep 28, 2017 04:56 PM

    Peter,

     

    I believe that you have also opened a case on this issue. If you can share the public certificates and your policy through the case we can look to repro in our environment. If certain components are being shared then this may cause a problem but otherwise I'm not sure where the problem is.

     

    Sincerely,

     

    Stephen Hughes

    Director, CA Support