API Gateway: Certificate key usage or extended key usage disallowed
Article ID: 107561
Updated On:
Products
STARTER PACK-7
CA API Gateway
Issue/Introduction
The below error is observed in the SSG log
2020-04-28T10:41:48.533-0700 WARNING 1439 com.l7tech.external.assertions.xmlsec.server.ServerNonSoapEncryptElementAssertion: 4: Unable to encrypt elements(s): Certificate key usage or extended key usage disallowed by key usage enforcement policy for activity: encryptXml. Exception caught!
2020-04-28T10:41:48.533-0700 WARNING 1439 com.l7tech.external.assertions.xmlsec.server.ServerNonSoapEncryptElementAssertion: 4: Unable to encrypt elements(s): Certificate key usage or extended key usage disallowed by key usage enforcement policy for activity: encryptXml. Exception caught!
Environment
Gateway 9.x
Resolution
The error indicates that the certificate includes further attributes that the Gateway can't handle by default. These attributes are inserted for a specific purpose. In order to handle such attributes, there are two options:
1) You can ignore key usage enforcement by setting the following cluster property:
pkix.keyUsage = IGNORE
Note: This will require a Gateway restart to go into effect.
More details about this cluster-wide property can be found here:
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-gateway/9-4/reference/gateway-cluster-properties/certificate-validation-cluster-properties.html
2) You can implement your own key usage enforcement policy based on the information here:
https://techdocs.broadcom.com/content/broadcom/te
chdomcs/us/en/ca-enterprise-software/layer7-api-manageent/api-gateway/9-4/services-and-policies/working-with-policies/key-usage-enforcement-policy.html
1) You can ignore key usage enforcement by setting the following cluster property:
pkix.keyUsage = IGNORE
Note: This will require a Gateway restart to go into effect.
More details about this cluster-wide property can be found here:
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-gateway/9-4/reference/gateway-cluster-properties/certificate-validation-cluster-properties.html
2) You can implement your own key usage enforcement policy based on the information here:
https://techdocs.broadcom.com/content/broadcom/te
chdomcs/us/en/ca-enterprise-software/layer7-api-manageent/api-gateway/9-4/services-and-policies/working-with-policies/key-usage-enforcement-policy.html
Feedback
Yes
No
Powered by
