Layer7 API Management

  • Private Community

  • 1.  LAC Integration with API Gateway

    Posted May 25, 2018 06:38 AM

    I am trying to follow the steps here to integrate the LAC with the Gateway as I would like to test publish an API.

     

     Set Up Mutual Authentication Between API Server and API Gateway - CA Live API Creator - 4.1 - CA Technologies Documentat…  

     

    I am having problems setting up mutual authentication. Can someone please break these steps down into bitesize pieces? As far as I understand it, I must create a public/private keypair and import that into the API server keystore, as well as in the Gateways keystore. 

     

    I get the following error when trying to publish an API: 

     

     

    javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present

    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)

    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959)

    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328)

    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322)

    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614)

    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)

    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)

    at sun.security.ssl.Handshaker.process_record(Handshaker.java:987)

    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)

    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)

    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)

    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)

    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)

    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)

    at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1334)

    at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1309)

    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:259)

    at com.kahuna.server.rest.MetaServiceGatewayPublish.gatewayPublish(MetaServiceGatewayPublish.java:164)

    at com.kahuna.server.rest.MetaServiceGatewayPublish.publish(MetaServiceGatewayPublish.java:84)

    at com.kahuna.server.rest.AbstractService.getMetadata(AbstractService.java:381)

    at com.kahuna.server.rest.ResourceList.postCommon(ResourceList.java:1204)

    at com.kahuna.server.rest.ResourceList.postJSON(ResourceList.java:976)

    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

    at java.lang.reflect.Method.invoke(Method.java:498)

    at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory$1.invoke(ResourceMethodInvocationHandlerFactory.java:81)

    at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:144)

    at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:161)

    at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:160)

    at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:99)

    at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:389)

    at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:347)

    at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:102)

    at org.glassfish.jersey.server.ServerRuntime$2.run(ServerRuntime.java:326)

    at org.glassfish.jersey.internal.Errors$1.call(Errors.java:271)

    at org.glassfish.jersey.internal.Errors$1.call(Errors.java:267)

    at org.glassfish.jersey.internal.Errors.process(Errors.java:315)

    at org.glassfish.jersey.internal.Errors.process(Errors.java:297)

    at org.glassfish.jersey.internal.Errors.process(Errors.java:267)

    at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:317)

    at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:305)

    at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:1154)

    at org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:473)

    at org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:427)

    at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:388)

    at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:341)

    at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:228)

    at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:808)

    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1669)

    at org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71)

    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)

    at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585)

    at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)

    at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577)

    at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)

    at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)

    at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)

    at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)

    at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)

    at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)

    at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)

    at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:110)

    at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)

    at org.eclipse.jetty.server.Server.handle(Server.java:499)

    at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:310)

    at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)

    at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:540)

    at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)

    at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)

    at java.lang.Thread.run(Thread.java:748)

    Caused by: java.security.cert.CertificateException: No subject alternative names present

    at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:145)

    at sun.security.util.HostnameChecker.match(HostnameChecker.java:94)

    at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455)

    at sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(SSLContextImpl.java:1019)

    at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:986)

    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)

    ... 66 more



  • 2.  Re: LAC Integration with API Gateway

    Broadcom Employee
    Posted May 25, 2018 10:03 AM

    Hi Christopher,

     

    How are you running LAC? I.e: Jetty image, tomcat, docker.

     

    The easiest way to go about this it is usually using the Gateway to create the key pair.

     

    1. Create the private key for the LAC server on the Gateway:

       a. In policy Manager: Tasks -> Certificates, Keys and secrets -> Manage Private Keys.

       b. Name the key and click Create.

     

     

    2. Export the LAC public/private key that was just created above.

       a. In policy Manager: Tasks -> Certificates, Keys and secrets -> Manage Private Keys.

       b. Highlight the key we created above (lacssl) and click properties

     

     

        c. Click export key, you will be prompted to enter a password. You will need this again later when importing the key.          Save the P12

        d. While still in the 'Private Key Properties' screen click View Certificate and export the public cert as a PEM file.

     

    3. Export the GATEWAY certificate.

       a. In policy Manager: Tasks -> Certificates, Keys and secrets -> Manage Private Keys.

       b. locate the GATEWAY default SSL key (indicated by the S logo)

       c. Click View Certificate and export the gateway certificate (gateway.pem)

     

     

    The next set of steps will change depending on how this is deployed. Let me know how this is running and will try to assist for your specific deployment.

     

    Regards,

    Joe

     



  • 3.  Re: LAC Integration with API Gateway

    Posted May 25, 2018 10:13 AM

    Hey Joe,

     

    Thanks for your response! So I got as far as what you have described above and got stuck on where to actually keep the keys. I have the LAC jetty image running (demo package) on the local machine and I have the API Gateway running on a VMWare Fusion instance on the local machine as well. 

     

    Thanks!  



  • 4.  Re: LAC Integration with API Gateway
    Best Answer

    Broadcom Employee
    Posted May 25, 2018 10:31 AM

    Perfect, so the next steps

     

    1. Make sure you uncomment these lines in the start.ini.

    For the Jetty image: CALiveAPICreator-Jetty-4.1.00.2\CALiveAPICreator\start.ini

     

    2. Drop the lacssl.p12 we created above into this path and rename it lacssl_new.p12

     

    \CALiveAPICreator-Jetty-4.1.00.2\CALiveAPICreator\etc

     

    3. Run the Keytool command to import the certificate. You will need the source and destination passwords here

    Default destination password for the Jetty image is Password1, the source password is the password you set when exporting the key from the Gateway.

     

    keytool -v -importkeystore -srckeystore <root CA Live API Creator installation directory>/CALiveAPICreator/etc/lacsslnew.p12

     

    4. Import the Gateway certificate into the LAC keystore

     

    keytool -importcert -file "C:\gateway.pem" -keystore "C:\LAC\CALiveAPICreator-Jetty-4.1.00.2\CALiveAPICreator\etc\keystore"


    Enter the keystore password: Password1

     

    This should be successful. Let me know of any errors you receive.

     

     

    Regards,

    Joe



  • 5.  Re: LAC Integration with API Gateway

    Posted May 25, 2018 11:21 AM

    And what do I do with the lacssl.pem file we created in the earlier step, is that required? 



  • 6.  Re: LAC Integration with API Gateway

    Broadcom Employee
    Posted May 25, 2018 12:16 PM

    It gets imported into the Gateway.

    Under manage certificates click Add and either 1) Browser to the PEM or if it is the same gateway where the lacssl private key was created choose 'Import from private key's certificate chain' and point to the lacssl key.



  • 7.  Re: LAC Integration with API Gateway

    Posted May 29, 2018 08:38 AM

    Hey Joe,

     

    I followed the steps above but still get the same error: 

     

    [Error] java.security.cert.CertificateException: No subject alternative names present

    Any ideas as to why this could be failing? 



  • 8.  Re: LAC Integration with API Gateway

    Posted Jun 19, 2018 11:32 PM

    use

    https://<domain name>:8443/lacman/1.0/publish

    in URL