Gateway Migration Tool GMU using client certificate mutual authentication
Article ID: 229711
Updated On:
Products
Issue/Introduction
We are having options setting up gmu to use client certificate (mutual) authentication.
What are the best steps to do so?
Environment
Release : 9.4
Component :
Resolution
Please note the keytool may need fine tuning based on your keystore file location so you want to browse to it and ensure you have the right place,
pre-checks
Ensure listen port 8443 has client cert optional.
Ensure the restman service has assertion 3 enabled client cert auth.
Create a user for me
gmuadmin
Assign Administrator role
Create a private key (MUST Be named the same gmuadmin)
Export the .cer
Import the gmuadmin.cer to the gmuadmin user properties of the Identity Provider.
Export the Private Key (.p12) and if you enter a password as I did * NOTE: 7layer it will be used in the gmu command. In my case gmuadmin.p12 and the password will be required for the plaintext/encoded password (this p12 should be saved in your gmu.bat/.sh runtime directory)
Export the certificate for the S marked Private key (gateway) gateway.cer
Import this Gateway certificate on your windows box as below,
gmuverx.x>%JAVA_HOME%/bin/keytool -importcert -alias gateway -file gateway.cer -keystore %JAVA_HOME%/lib/security/cacerts
Prompt for password type changeit
Right click on your restman service and get the serviceid
Run GMU,
gmuverx.x>gmu.bat restman -h --clientCert gmuadmin.p12 --plaintextPassword 7layer --method GET -path /1.0/services/68e2869b9fb01ee1408238732d96a465
* The plaintextPassword is not my user password but the --clientCert p12 password
** The number after /services/68e2869b9fb01ee1408238732d96a465 is the ServiceID from the properties of the restman service.
**** Special not the USERNAME AND CN Name from the cert must be an identical match DO NOT USE 2 varied values.
******** You may want or need to add flags --trustCertificate --trustHostname to the GMU Command.
Feedback
