Layer7 API Management

  • 1.  Enforce Client certificate Authentication with CA Microgateway

    Posted Jan 02, 2018 02:14 AM

    Hello,

     

    I am trying out the new CA Microgateway for various functionalities. one of the Uses cases we have is to have Microgateway enforce Client certificate authentication. I went through the documentation for Microgateway way developed the below policy (in Json format). when I try to deploy it in the micro gateway I get an error. I am adding the policy and the error here. Any help is appreciated.

     

    I am using the Microgateway in the Quick Start Rest mode in conjunction with Consul DB.

     

    I am using the latest Docker container provided by the CA in the docker hub.

     

    Policy:

    {
    "Service": {
    "name": "Name of the services",
    "gatewayUri": "/<gateway uri>",
    "httpMethods": [ "post" ],
    "policy": [
    {
    "Ssl": {
    "Option": "Optional",
    "RequireClientAuthentication": "true"
    }
    },
    {
    "RouteHttp" : {
    "targetUrl": "<target uri>",
    "httpMethod" : "Automatic"
    }
    }
    ]
    }
    }

     

    Error:

    {

       "response" : "quickstart service failed.",

       "error" : "Unable to set SslAssertion - RequireClientAuthentication = true"

    }

     

    Regards,

    Pradeep Bharadwaj



  • 2.  Re: Enforce Client certificate Authentication with CA Microgateway

    Posted Jan 02, 2018 02:18 AM

    Here's is a part of my docker compose file, which tell micro gateway where to look for the certificate (in base64 format).

     

    trust-store.env is where I store the base64 root CA of the client.

     

    version: '3'
    services:
    ssg:
    image: pradeepadobe/mgw-qsm:1.0
    extra_hosts:
    - "httpbin.mycompany.com:10.7.36.179"
    - "otk.mycompany.com:10.7.32.187"
    - "kafka-rest.local.com:192.168.99.100"
    deploy:
    resources:
    limits:
    memory: 2048m
    ports:
    - "443:8443"
    - "9443:9443"
    - "80:8080"
    env_file:
    - ./config/core.env
    - ./config/license-agreement.env
    - ./config/license.env
    - ./config/certificates.env
    - ./config/otk.env
    - ./config/jwt.env
    - ./config/feature-flags.env
    - ./config/solutionkits/policysdk.env
    - ./config/trust-store.env

     

    regards,

    Pradeep Bharadwaj



  • 3.  Re: Enforce Client certificate Authentication with CA Microgateway
    Best Answer

    Broadcom Employee
    Posted Nov 24, 2018 02:36 PM

    Pradeep,

     

    I've been able to duplicate the issue that you are seeing. The solution to correct is to take the quotes off around the true for the RequireClientAuthentication item so it is set to "RequireClientAuthentication": true and change the Option from Optional to Required.

     

    Sincerely,

     

    Stephen Hughes

    Broadcom Support