CA API Gateway (Layer 7)SA94 to API SECURITYSTARTER PACK-7CA Rapid App SecurityMOBILE API GATEWAYCA Mobile - API GatewayCA API Gateway
Using the CA API Gateway, we need to extract a number of attributes/fields from a x509 certificate. However, it seems it's not possible to extract x509v3 extensions, such as the qcStatements (OID 18.104.22.168.22.214.171.124.3) or its children.
Can you provide us any guidelines on how, and whether it is possible, to access such x509v3 extensions from the policy logic?
Test certificates (attached): - psd2testcert.pem (test certificate with x509v3 extensions) - privkey.pem (private key of test certificate) - test_keystore.p12 (keystore containing both the test certificate and its private key) - ca.crt (issuer of test certificate)
Using the "Extract Certificates from Certificates" the debugger is not showing any x509v3 extensions. When adding e.g. request.ssl.clientCertificate to the inspector of the debugger, you can see that the extensions are part of the object, but it's unclear how to actually access them from any policy logic.
Data visible when inspecting request.ssl.clientCertificate:
It looks like the current "Extract Attributes from Certificates" assertion does not support extracting arbitrary extensions out of x509 certificate.
Looking at the assertion source code, what is exposed as per our docops page, had to be explicitly be extracted and exposed as context variable. It sounds like a custom assertion could be a good path for the customer.
CA support doesn't implement the customer assertions; however, CA Services would do. If you want to engage CA services, you need to contact your account manager about their engagement.
In order to obtain this file the layer7-api-*.jar, you need to download this component " CA API GATEWAY DEVELOPMENTTOOLS-9.3- CUSTOM ASSERTION DEV KIT, GATEWAY MANAGEMENT DEV KIT AND CLIENT, GATEWAY MIGRATION UTILITY - GMU GEN500000000000734.zip" from https://support.ca.com/us/download-center/product-files.html
Furthermore, I have included a section how to create a custom assertion from API documentation, please see the link below : https://docops.ca.com/ca-api-gateway/9-3/en/policy-assertions/custom-assertions/create-custom-assertions