Checking for the presence and validity of a Certificate using two different 'Require SSL' assertions
Article ID: 7279
Updated On:
Products
Issue/Introduction
In Policy, some use cases may want to separate how the 'Require SSL' assertion handles the certificate. For example; the first branch of logic may check for the presence of the certificate, whereas the next branch checks again for the validity of that same certificate.
The problem is, if an expired certificate passes the first branch (which only checks for the presence of a certificate), it would actually pass the branch later down the line that checks for the validity of the certificate.
Environment
Release:
Component: APIGTW
Cause
The Gateway does this almost as a 'caching' mechanism to reduce the overhead of policy. As it has already checked for the certificate, it pulls the same details from before (where we didn't check for validity) and it actually passes through even though a certificate may not be valid and is expired.
Resolution
Instead of the second 'Require SSL' assertion checking for the validity, we can do a compare expression to check for the validity. The compare variable should look like the below:
This compare expression will take the cert validity using a built in context variable and compare it against the gateway time; essentially checking the validity of it and ensuring it is not expired.
Attachments
Feedback
