Deploying a certificate revocation policy against a federated identity provider using a static certificate revocation list
search cancel

Deploying a certificate revocation policy against a federated identity provider using a static certificate revocation list

book

Article ID: 42835

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

The CA API Gateway is capable of validating client certificates in numerous ways. It can validate chains of trust, validate the validity and expiry periods of certificates, and check certificates against certificate revocation lists (CRL). This article will focus on leveraging a CRL from an external site to validate users or systems consuming services published in and protected by a Gateway cluster. The context of this article will focus on leveraging a CRL against a federated identity provider located within the Gateway appliance. This article can be used with directory services (such as Active Directory or generic LDAP directories) or the internal identity provider as necessary.

Environment

All supported versions of the API Gateway

Resolution

Deploying certificate revocation checking requires four separate processes:

  1. Trusting a certificate authority to sign client certificates
  2. Creating a validation policy
  3. Maintaining an identity provider that accepts client certificates as a form of authentication
  4. Publish a service that requires client certificates and authenticates them against an identity provider

Trusting a certificate authority

  1. Log in to the Policy Manager as an administrative user
  2. Select the Manage Certificates task
  3. Click Add to import a certificate
  4. Set Signing Client Certificates as an acceptable usage
  5. Set the Certificate is a Trust Anchor checkbox

More information on adding certificates to the Gateway's local certificate trust store can be found within the Policy Manager User Manual for the applicable version of the Gateway.

Creating a validation policy

  1. Click the Certificate Validation button from within the Manage Certificates task
  2. Set Revocation checking as the validation option for identity providers 


  3. Add a new revocation checking policy
  4. Add a new policy declaration
  5. Set CRL from URL as the CRL type
  6. Set the URL to an HTTP(S) URL pointing to a valid CRL file
  7. Click Add to set a trusted issuer


  8. Select the CA certificate imported previously.
  9. Check Use as default revocation checking policy

Maintaining an identity provider

  1. Log in to the Policy Manager as an administrative user
  2. Select the Create Federated Identity Provider button from the home page
  3. Set X.509 Certificate as an allowed credential source
  4. Add the CA certificate imported previously as a Trusted Certificate
  5. Set the Validation Options to Use Default

Publish a new service

  1. Add Require SSL or TLS with Client Certificate Authentication
  2. Add Authenticate Against Identity Provider
  3. Consume the service with a client certificate issued by an issuer trusted for the federated identity provider.

Additional Information

Client Certificate Revocation Checking for Client certificate authentication 

Use case:

Federated Identity Provider configure for x509 using trusted certificate of the RootCA signing the client certificates   (NOTE no user certs added to this FIP)

 

Client access Gateway end-point browser install P12 client certificate issued by the RootCA trusted certificate added to the FIP. 

Authenticated against the ID provider (FIP)  

Validate certificate assertions performs Revocation Checking (CRL checking)

 

Powered by Wolken Software