ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Mutual SSL authentication configuration per web port

book

Article ID: 110022

calendar_today

Updated On:

Products

CA Rapid App Security CA API Gateway

Issue/Introduction



User has the requirement to host multiple services with mutual SSL based authentication. To get this to work, its crucial that in the ServerHello message the trusted certificate authorities are appearing in the CertificateRequest section. Its my understanding that this is controllable by the certificate purpose
"Signing client certs" in the list of trusted certificates. As the services are independent from each other and as we observed the clients are pretty sensitive during the SSL handshake when e.g. more than one trusted CA appears in the ServerHello/CertificateRequest message, I want to have an isolated SSL configuration per service in order to specify per service (or per webport) which client certificate issuer is being trusted. However, it seems the certificate purpose is controllable only on a global level, applying for all services and all web ports.

Is it possible to set certificate purpose per web port?

Environment

Gateway 9.3

Resolution

There are several options. I hope they meet the requirement: 
1.: In policy manager, Tasks - Manage Listen Ports - Select or create a port 
2.: check the properties 
3.: select the private key that is valid on that port 

This is like a global setting for that specific port. 

For a specific API this approach can be used: 

1.: create a federated identity provider which allows you to specify required certificates or a specific issuer 
2.: in an API require SSL Mit client authentication 
3.: then include a Authenticate assertion against the Federated identity provider 
Powered by Wolken Software