Checking for the presence and validity of a Certificate using two different 'Require SSL' assertions

book

Article ID: 7279

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

In Policy, some use cases may want to separate the ways in which the 'Require SSL' assertion handles the certificate. For example; the first branch of logic may check for the presence of the certificate, whereas the next branch checks again for the validity of that same certificate. 

 

<Please see attached file for image>

Policy screenshot.PNG

 

The problem is, if an expired certificate passes the first branch (which only checked for the presence of a certificate), it would actually pass the branch later down the line that checks for the validity of the certificate. 

Cause

The Gateway does this almost as a 'caching' mechanism to reduce the overhead of policy. As it has already checked for the certificate, it pulls the same details from before (where we didn't check for validity) and it actually passes through even though a certificate may not be valid and is expired. 

Environment

Release:
Component: APIGTW

Resolution

Instead of the second 'Require SSL' assertion checking for the validity, we can do a compare expression to check for the validity. The compare variable should look like the below: 

 

<Please see attached file for image>

style="display: block; margin-left: auto;" src="/servlet/servlet.FileDownload?file=0150c000004AKFDAA4" alt="Compare.PNG" width="348" height="261">

 

This compare expression will take the cert validity using a built in context variable and compare it against the gateway time; essentially checking the validity of it and ensuring it is not expired. 

Attachments

1558702903286000007279_sktwi1f5rjvs16q12.png get_app