ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Gateway Signature Issue for client certificate

book

Article ID: 188113

calendar_today

Updated On:

Products

CA API Gateway API SECURITY CA API Gateway Precision API Monitoring Module for API Gateway (Layer 7) CA API Gateway Enterprise Service Manager (Layer 7) STARTER PACK-7 CA Microgateway

Issue/Introduction

The customer is having a strange issue with a specific certificate chain

According to OpenSSL this is a valid chain:

  >> openssl verify -partial_chain -trusted inter.pem leaf.pem 

leaf.pem:OK
 
However, according to the API Gateway the signatures do not match with this error:
    Unable to build path for Certificate : unable to find valid certification path to requested target;related error(s) [Signature does not match.]

Is it possible that the API Gateway is not supporting the Signature algorithm.

For the leaf certificate this is:

  • rsassaPss
    • Hash Algorithm: sha512
    • Mask Algorithm: mgf1 with sha51


The actual comes from the SSG logs.  We have tried we the entire chain in the truststore as trust anchor.

Of course, for it to work, you have to make some changes:

- switch to an IDP that exists on your environment

- add the inter.pem as a trustanchor that can sign client certificates

- create a user with the leaf.pem as certificate

- change the Authenticate User step to your local IDP and the user you created

Environment

Release : 9.4

Component : API GATEWAY

Resolution

The certificate has signature algorithm RSASSA-PSS which is not supported on older JDKs.

JDK 8 u241 has introduced support for PKCS#11 v2.40 which supports RSASSA-PSS algorithm.
The solution was to upgrade the JDK to jdk1.8u241 as the signature algorithm RSASSA-PSS(which was used in the client certificate) is not supported on older JDKs. JDK 8 u241 has introduced support for PKCS#11 v2.40 which supports RSASSA-PSS algorithm

Please check the link below for more documentation for the same ->
https://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8080462