search cancel

Gateway Migration Tool GMU using client certificate mutual authentication

book

Article ID: 229711

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

We are having options setting up gmu to use client certificate (mutual) authentication.

What are the best steps to do so?

Environment

Release : 9.4

Component :

Resolution

Please note the keytool may need fine tuning based on your keystore file location so you want to browse to it and ensure you have the right place,

Public Doc,
https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/10-1/gateway-migration/configure-gmu-and-gateways-for-migration.html#concept.dita_d66af080dde6ff8f4902af8d0d0558295fbfe3cb_ConfigureGMUandGatewaysforMigration

pre-checks
Ensure listen port 8443 has client cert optional. 
Ensure the restman service has assertion 3 enabled client cert auth.

Create a user for me 
gmuadmin 
Assign Administrator role 
Create a private key (MUST Be named the same gmuadmin) 
Export the .cer 
Import the gmuadmin.cer to the gmuadmin user properties of the Identity Provider. 
Export the Private Key (.p12) and if you enter a password as I did * NOTE: 7layer it will be used in the gmu command. In my case gmuadmin.p12  and the password will be required for the plaintext/encoded password (this p12 should be saved in your gmu.bat/.sh runtime directory) 
Export the certificate for the S marked Private key (gateway) gateway.cer 
Import this Gateway certificate on your windows box as below, 

gmuverx.x>%JAVA_HOME%/bin/keytool -importcert -alias gateway -file gateway.cer -keystore %JAVA_HOME%/lib/security/cacerts 
Prompt for password type changeit 

Right click on your restman service and get the serviceid 

Run GMU, 
gmuverx.x>gmu.bat restman -h  --clientCert gmuadmin.p12 --plaintextPassword 7layer --method GET -path /1.0/services/68e2869b9fb01ee1408238732d96a465 

* The plaintextPassword is not my user password but the --clientCert p12 password 
** The number after /services/68e2869b9fb01ee1408238732d96a465 is the ServiceID from the properties of the restman service.
**** Special not the USERNAME AND CN Name from the cert must be an identical match DO NOT USE 2 varied values.

******** You may want or need to add flags --trustCertificate --trustHostname to the GMU Command.