Layer7 API Management

  • 1.  Problems with certificate authentication.

    Posted Dec 11, 2017 12:45 AM

    Hello,

     

    I have the server certificate and the client certificate, but I can not make the assert "Required SSL or TLS Transport with Client Certificate Authentication" work.

     

    <?xml version="1.0" encoding="UTF-8"?>
    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
       <soapenv:Body>
          <soapenv:Fault>
             <faultcode>soapenv:Server</faultcode>
             <faultstring>Policy Falsified</faultstring>
             <faultactor>https://centos7.shared:8443/..../health</faultactor>
             <detail>
                <l7:policyResult status="Authentication Required" xmlns:l7="http://www.layer7tech.com/ws/policy/fault"/>
             </detail>
          </soapenv:Fault>
       </soapenv:Body>
    </soapenv:Envelope>

     

    The steps I have followed are:

    1.- I have created a "Federated Identity Provider"
    2.- I have created a "Federated User"

     

    What am I missing?

     

    FIP

     

    --- User

    User in FIP

     

    User in FIP 2

     

    A greeting,



  • 2.  Re: Problems with certificate authentication.

    Posted Dec 11, 2017 02:36 AM

    You have configured the listen port to accept (optional or required) client certificates?



  • 3.  Re: Problems with certificate authentication.

    Broadcom Employee
    Posted Dec 11, 2017 04:04 AM

    Hi,

     

    I think you need an "Authenticate Against Identity Provider" assertion after the "Required SSL or TLS Transport with Client Certificate Authentication" assertion.

     

    Cheers.



  • 4.  Re: Problems with certificate authentication.

    Posted Dec 11, 2017 05:35 AM

    Thanks to the two for answering.

     

    1. The request reaches the Gateway, however it fails in "Required SSL or TLS Transport with Client Certificate Authentication".
    2. If the JKS has the Gateway certificate fails in "Authenticate Against Identity Provider".

     

    I look for it to work for me without the gateway certificate.

     

    debug

     

    Again, thanks for the help.



  • 5.  Re: Problems with certificate authentication.

    Broadcom Employee
    Posted Dec 11, 2017 08:23 PM

    For SSL/TLS connections, you need to install the certificate(s) from Certificate Authority to your client. They are used for validating the server certificate. Usually a self-signed certificate is created for API Gateway while you're setting it up.

     

    It looks your server certificate and its private key are not properly configured for SSL/TLS on your API Gateway because the "Required SSL or TLS" assertion is succeeded when you import the Gateway certificate to your client(JKS).
    Please check the "Manage Private Keys" task and configure your server certificate and its private key for SSL/TLS properly.

     

    For client certificate authentication, you need to install a certificate chain from the issuer of your client certificate to the API Gateway. Your client certificate must be validated with the certificate chain before authenticating against Identity Provider.


    It looks the Gateway certificate in your JKS is recognized as a "client certificate" because the Gateway certificate is used for SSL/TLS on the API Gateway instead of your server certificate.

     

    Cheers.



  • 6.  Re: Problems with certificate authentication.

    Broadcom Employee
    Posted Dec 11, 2017 07:33 PM

    The Required SSL or TLS Transport with Client Certificate Authentication will success as soon as there is a  client certificate in the incoming request. You don't even need to create new IDP, or authenticate against some thing.

     

    So, what the client? How did you send the request with client certificate?

     

    Keep in mind that client certificate is a private key.

    for example, if the client is a browser, you will need to import the private key to the browser, and when using the browser to access the gateway endpoint, the browser should prompt you to select the private key. After you select the private key, the client certificate(private key) will be included in the request, and the require client cert assertion will be happy.



  • 7.  Re: Problems with certificate authentication.
    Best Answer

    Posted Dec 14, 2017 12:22 PM

    Hello and thanks to everyone for the help.

     

    The original problem was to be able to validate a user based on the client certificate.

     

    The first thing I did was create the certificates for my PoC.
    #> openssl req -newkey rsa:2048 -nodes -keyout centos7.shared.key -x509 -days 365 -out centos7.shared.crt

     

    With the CRT I register it in Tasks -> Certificates, Keys and Secrets -> Manages Certificates. (Remember that this certificate is "Trust Anchor").

     

    Then I create my PoC API.

    PoC

     

    I create an IdP in the Identity Providers tab, with the following characteristics.
    .- Type : X.509 Certificate
    .- Do not assign Trusted Certificate, press next and ok to the warning.
    .- Certificate validation: Validate certificate path.

     

    On this IdP create a federated user. In the wizard include your DN, and select additional properties to add the certificate associated with this user, a warning is generated to write the DN, press OK.

     

    If you test the API with postman including the certificates everything works correctly