Topic
  • 3 replies
  • Latest Post - ‏2013-07-11T10:20:58Z by RajeevDP
RajeevDP
RajeevDP
4 Posts

Pinned topic Dynamic SSL mutual auth using verify.xsl stylesheet

‏2013-07-01T05:13:16Z |

Hi Experts,

We have a scenario where we need to implement SSL mutual authentication dynamically by customizing the stylesheets used by verify action.

We want to avoid adding client certificates manually to the SSL proxy profile each time a new client is added.Instead we are planning to have a valcred for each client and dynamically authenticate the client by using customized stylesheets similar to that used by verify action. 

Is it recommended approach?

Thanks,

Rajeev 

Updated on 2013-07-01T05:19:51Z at 2013-07-01T05:19:51Z by RajeevDP
  • swlinn
    swlinn
    1348 Posts
    ACCEPTED ANSWER

    Re: Dynamic SSL mutual auth using verify.xsl stylesheet

    ‏2013-07-09T17:17:35Z  

    SSL Mutual Authentication is enforced by the front side handler long before your multi-step processing is invoked.  The only approach I can think of is to accept the client certificate in your FSH valcred by specifying a group of immediate issuing CA certificates, and then use your AAA action to verify the subject DN of that certificate matches a list you maintain, thus instead of having to update configuration when a new client is onboarded, they will need to provide a certificate using one of your supported CA issuers, and you just update your list of subject DNs in a file (for example, a AAAInfo.xml file).

    Regards,

    Steve

  • swlinn
    swlinn
    1348 Posts

    Re: Dynamic SSL mutual auth using verify.xsl stylesheet

    ‏2013-07-09T17:17:35Z  

    SSL Mutual Authentication is enforced by the front side handler long before your multi-step processing is invoked.  The only approach I can think of is to accept the client certificate in your FSH valcred by specifying a group of immediate issuing CA certificates, and then use your AAA action to verify the subject DN of that certificate matches a list you maintain, thus instead of having to update configuration when a new client is onboarded, they will need to provide a certificate using one of your supported CA issuers, and you just update your list of subject DNs in a file (for example, a AAAInfo.xml file).

    Regards,

    Steve

  • arun_tcs
    arun_tcs
    144 Posts

    Re: Dynamic SSL mutual auth using verify.xsl stylesheet

    ‏2013-07-10T19:29:28Z  
    • swlinn
    • ‏2013-07-09T17:17:35Z

    SSL Mutual Authentication is enforced by the front side handler long before your multi-step processing is invoked.  The only approach I can think of is to accept the client certificate in your FSH valcred by specifying a group of immediate issuing CA certificates, and then use your AAA action to verify the subject DN of that certificate matches a list you maintain, thus instead of having to update configuration when a new client is onboarded, they will need to provide a certificate using one of your supported CA issuers, and you just update your list of subject DNs in a file (for example, a AAAInfo.xml file).

    Regards,

    Steve

    Hello Steve,

    I am having a simillar scenario , where the security gateway has to validate the digital signature of the consumer and authenticate . In some scenarios I would also required to sign the outgoing message. I do not want to have single validation credential object with all the consumer certificate because of management  and performance issues.

    I would like to understand if tthe following approach is feasible -

    a. Define different validation credential objects for each of the consumer

    b. Write custom stylesheet to select the validation credential object at runtime.

    if thats feasible can we pass the validation credential object as a parameter to verify.xsl under store dir ?

    if this approach is not feasible how this issue can be addressed so that we can define a single entry and exit point for the gateway, without having the need for managing multiple objects or avoiding certificate management issues. 

     

    Please share your ideas and comments.

     

    Thanks and Regards,

    Arun

     

     

     

  • RajeevDP
    RajeevDP
    4 Posts

    Re: Dynamic SSL mutual auth using verify.xsl stylesheet

    ‏2013-07-11T10:20:58Z  
    • swlinn
    • ‏2013-07-09T17:17:35Z

    SSL Mutual Authentication is enforced by the front side handler long before your multi-step processing is invoked.  The only approach I can think of is to accept the client certificate in your FSH valcred by specifying a group of immediate issuing CA certificates, and then use your AAA action to verify the subject DN of that certificate matches a list you maintain, thus instead of having to update configuration when a new client is onboarded, they will need to provide a certificate using one of your supported CA issuers, and you just update your list of subject DNs in a file (for example, a AAAInfo.xml file).

    Regards,

    Steve

    Thanks Steve,

    This is exactly what we implemented .

    Arun,

    The problem with using re-using verify.xsl is that it finally calls a stylesheet(crypto.xml.xsl)the contents of which was not accessible. We dropped this idea and came up with similar approach as suggested by Steve above.