Topic
  • 4 replies
  • Latest Post - ‏2013-09-17T03:00:19Z by soaDevArch
soaDevArch
soaDevArch
82 Posts

Pinned topic cert concern

‏2013-09-11T14:01:22Z |

Hi,

I do not have complete admin access on teh applainces. This is been in most of the places/clients.
I know something about the pubcerts. These are shipped with the applainces.
Can someone share the list of certs that will be shipped.
The main issue is that we're seeing some certs like PTT-post*, VeriSign-Class-2-Public* and many more getting created. Not sure how they're created. But see that crypto cert objects for all certs in pubcert. If someone can upload it would be who has access to default and complete admin access right ?.
Can someone throw some light and share any technotes.

Thanks!
Salla

  • soaDevArch
    soaDevArch
    82 Posts
    ACCEPTED ANSWER

    Re: cert concern

    ‏2013-09-17T03:00:19Z  

    Hi Salla,

    Any one with RBM access "*/default/*?Access=r+w+a+d+x" can upload a new cert under pubcert directory.

    The example which you have mentioned are not generated by DataPower. They comes with DataPower by default. pubcerts are mostly unchanged until and unless you have got a new Certificate Authority added. 

    In case when you have an Internal CA cert (e.g. Your organization decided to sign every certificate used by any system within company), you should upload that in SharedCert and use it across all domain. 

    Please share some more specific detail if you're looking for some different information.

    Thanks, Rohit 

     

    Thanks Rohit!. We found the reason if someone clicked the create validation repot *** button ( accidentally) we'll see the whole bunch of certs under pubcert. I'm good here...

    Thanks! 

    Salla

  • SriniDp
    SriniDp
    46 Posts

    Re: cert concern

    ‏2013-09-13T20:06:43Z  

    Hello,

     

    When you  create a certificate object and upload a cert to it VIA proxy profiles or crypto profiles , dp will generate crypto objects by appending a number to the existing certificate objects and will mess up the all crypto configurations. We faced this couple of times when we try to add the certificates from the higher level objects instead of lower level objects.

    So, Best practice is, when ever you want to add a certificate into DP, you have to uplaod the cert in cert directory and create crypto certificate object from navigation menu and then add the cert to  crypto cert object, then add the crypto cert  to valcred then to crypto profile to proxy profile.

    Thought it might help you if your having the same situation.

  • soaDevArch
    soaDevArch
    82 Posts

    Re: cert concern

    ‏2013-09-13T21:44:30Z  
    • SriniDp
    • ‏2013-09-13T20:06:43Z

    Hello,

     

    When you  create a certificate object and upload a cert to it VIA proxy profiles or crypto profiles , dp will generate crypto objects by appending a number to the existing certificate objects and will mess up the all crypto configurations. We faced this couple of times when we try to add the certificates from the higher level objects instead of lower level objects.

    So, Best practice is, when ever you want to add a certificate into DP, you have to uplaod the cert in cert directory and create crypto certificate object from navigation menu and then add the cert to  crypto cert object, then add the crypto cert  to valcred then to crypto profile to proxy profile.

    Thought it might help you if your having the same situation.

    Thank you Srini for your inputs!.

    We do in that way upload it using the cert dir and then configure the objects.

    My main concern was with with pubcert. Somehow we're seeing that certs were created from pubcert. Looks like someone hit the create validation object from pubcert cert by mistake on val cred.

    Thanks!.
    Salla

  • Rohit-Goyal
    Rohit-Goyal
    151 Posts

    Re: cert concern

    ‏2013-09-16T05:35:06Z  

    Hi Salla,

    Any one with RBM access "*/default/*?Access=r+w+a+d+x" can upload a new cert under pubcert directory.

    The example which you have mentioned are not generated by DataPower. They comes with DataPower by default. pubcerts are mostly unchanged until and unless you have got a new Certificate Authority added. 

    In case when you have an Internal CA cert (e.g. Your organization decided to sign every certificate used by any system within company), you should upload that in SharedCert and use it across all domain. 

    Please share some more specific detail if you're looking for some different information.

    Thanks, Rohit 

     

  • soaDevArch
    soaDevArch
    82 Posts

    Re: cert concern

    ‏2013-09-17T03:00:19Z  

    Hi Salla,

    Any one with RBM access "*/default/*?Access=r+w+a+d+x" can upload a new cert under pubcert directory.

    The example which you have mentioned are not generated by DataPower. They comes with DataPower by default. pubcerts are mostly unchanged until and unless you have got a new Certificate Authority added. 

    In case when you have an Internal CA cert (e.g. Your organization decided to sign every certificate used by any system within company), you should upload that in SharedCert and use it across all domain. 

    Please share some more specific detail if you're looking for some different information.

    Thanks, Rohit 

     

    Thanks Rohit!. We found the reason if someone clicked the create validation repot *** button ( accidentally) we'll see the whole bunch of certs under pubcert. I'm good here...

    Thanks! 

    Salla