Topic
4 replies Latest Post - ‏2013-07-27T18:58:23Z by HermannSW
harish8115
harish8115
15 Posts
ACCEPTED ANSWER

Pinned topic DataPower multiple services on a single port

‏2013-07-26T00:55:47Z |

I need expose multiple services (different WSDLs) through DataPower and each service will have a different set of clients. I am enforcing cert-based authentication on the clients (two-way profile). Is it possible for me to expose all the services on the same port  (e.g., 443) and still enforce cert-based authentication on each incoming client?

For example, I have two services Service A (URL1?wsdl) and Service B (URL2?wsdl). Each service has a different set of client, say,

client 1 and 2 for Service A and

client 3 and 4 for Service B 

I have to enforce cert-based authentication for all the clients. Can i expose both services, A & B on port 443, enable cert-based client authentication and still ensure that clients of one service cannot authenticate to the other service? If not, is there a workaround using which I can achieve this?

Kindly advise.

  • Rohit-Goyal
    Rohit-Goyal
    104 Posts
    ACCEPTED ANSWER

    Re: DataPower multiple services on a single port

    ‏2013-07-26T01:06:16Z  in response to harish8115

    I think you should be able to do that. You can attached one FSH to multiple WebService Proxy. So you can create one HTTPS FSH and attach to 2 WSPs.

    About SSL, the SSL profile attached to FSH can have certificates from both clients (Or CA Cert of Client certs) in validation credentials.

     

    Rohit

    • PradeepMalineni
      PradeepMalineni
      30 Posts
      ACCEPTED ANSWER

      Re: DataPower multiple services on a single port

      ‏2013-07-26T02:42:32Z  in response to Rohit-Goyal

      Another solution for this to have two FSH's on same port but with different URI listening to one WSP. In Processing policy use AAA policy to extract the certificate details and authorize based on the service particular request trying to access.

      I am assuming that each client sends two different certs with different CN names.

  • harish8115
    harish8115
    15 Posts
    ACCEPTED ANSWER

    Re: DataPower multiple services on a single port

    ‏2013-07-27T03:25:10Z  in response to harish8115

    This does not solve my problem. If i create one FSH with all the clients certs and attach it to multiple services then clients of any service will be able to invoke methods on the services, even if they are not supposed to. I know that this depends on their knowledge of the service endpoint, but I would really prefer to keep them separate. Is there a way / workaround I can achieve this by exposing all the services on port 443?

    • HermannSW
      HermannSW
      3147 Posts
      ACCEPTED ANSWER

      Re: DataPower multiple services on a single port

      ‏2013-07-27T18:58:23Z  in response to harish8115

      I do not see your problem.

      Have 1 FSH for all your WSPs.

      Then, in XML Manager's User Agent go to "SSL Proxy Profile Policy" tab.

      There you can specify which SSL Proxy Profile has to be associated with which endpoint by URL Matching expressions.


      Hermann<myXsltBlog/> <myXsltTweets/> <myCE/>