Topic
  • 4 replies
  • Latest Post - ‏2013-07-27T18:58:23Z by HermannSW
harish8115
harish8115
21 Posts

Pinned topic DataPower multiple services on a single port

‏2013-07-26T00:55:47Z |

I need expose multiple services (different WSDLs) through DataPower and each service will have a different set of clients. I am enforcing cert-based authentication on the clients (two-way profile). Is it possible for me to expose all the services on the same port  (e.g., 443) and still enforce cert-based authentication on each incoming client?

For example, I have two services Service A (URL1?wsdl) and Service B (URL2?wsdl). Each service has a different set of client, say,

client 1 and 2 for Service A and

client 3 and 4 for Service B 

I have to enforce cert-based authentication for all the clients. Can i expose both services, A & B on port 443, enable cert-based client authentication and still ensure that clients of one service cannot authenticate to the other service? If not, is there a workaround using which I can achieve this?

Kindly advise.

  • Rohit-Goyal
    Rohit-Goyal
    133 Posts

    Re: DataPower multiple services on a single port

    ‏2013-07-26T01:06:16Z  

    I think you should be able to do that. You can attached one FSH to multiple WebService Proxy. So you can create one HTTPS FSH and attach to 2 WSPs.

    About SSL, the SSL profile attached to FSH can have certificates from both clients (Or CA Cert of Client certs) in validation credentials.

     

    Rohit

  • PradeepMalineni
    PradeepMalineni
    31 Posts

    Re: DataPower multiple services on a single port

    ‏2013-07-26T02:42:32Z  

    I think you should be able to do that. You can attached one FSH to multiple WebService Proxy. So you can create one HTTPS FSH and attach to 2 WSPs.

    About SSL, the SSL profile attached to FSH can have certificates from both clients (Or CA Cert of Client certs) in validation credentials.

     

    Rohit

    Another solution for this to have two FSH's on same port but with different URI listening to one WSP. In Processing policy use AAA policy to extract the certificate details and authorize based on the service particular request trying to access.

    I am assuming that each client sends two different certs with different CN names.

  • harish8115
    harish8115
    21 Posts

    Re: DataPower multiple services on a single port

    ‏2013-07-27T03:25:10Z  

    This does not solve my problem. If i create one FSH with all the clients certs and attach it to multiple services then clients of any service will be able to invoke methods on the services, even if they are not supposed to. I know that this depends on their knowledge of the service endpoint, but I would really prefer to keep them separate. Is there a way / workaround I can achieve this by exposing all the services on port 443?

  • HermannSW
    HermannSW
    4657 Posts

    Re: DataPower multiple services on a single port

    ‏2013-07-27T18:58:23Z  

    This does not solve my problem. If i create one FSH with all the clients certs and attach it to multiple services then clients of any service will be able to invoke methods on the services, even if they are not supposed to. I know that this depends on their knowledge of the service endpoint, but I would really prefer to keep them separate. Is there a way / workaround I can achieve this by exposing all the services on port 443?

    I do not see your problem.

    Have 1 FSH for all your WSPs.

    Then, in XML Manager's User Agent go to "SSL Proxy Profile Policy" tab.

    There you can specify which SSL Proxy Profile has to be associated with which endpoint by URL Matching expressions.


    Hermann<myXsltBlog/> <myXsltTweets/> <myCE/>