Topic
5 replies Latest Post - ‏2013-11-04T15:35:21Z by JoeMorganNTST
dplearner444
dplearner444
10 Posts
ACCEPTED ANSWER

Pinned topic Datapower as web service Client

‏2013-11-01T19:07:22Z |

I have a requirement to call a webservice over HTTPS from Datapower.

I have the client certificate,Intermediate certificates and root certificate.

I have added all of them on crypto validation credentials.

But when ever I make a call i end up receiving Network Error on back side server.

I captured packet trace and identified that the certificate length sent by Datapower is zero and same has been confirmed by our vendor.

Am I missing any thing here as this is the normal process to configure client certificates and make HTTPS call to vendor webservices?

Any reason why datapower is not sending the certificates

 

 

  • JoeMorganNTST
    JoeMorganNTST
    427 Posts
    ACCEPTED ANSWER

    Re: Datapower as web service Client

    ‏2013-11-01T19:18:01Z  in response to dplearner444

    I suspect you're doing Mutual SSL?  If DataPower is the client, you'll also need to add you company's certificate in the Identification Credential.  All you're doing so far is just validating their certificate.

    • dplearner444
      dplearner444
      10 Posts
      ACCEPTED ANSWER

      Re: Datapower as web service Client

      ‏2013-11-01T19:46:58Z  in response to JoeMorganNTST

      We have the existing service on legacy service but its just client authentication.There is no mutual SSL involved.

      I understand that when Datapower acts as a client to a HTTPS webservice we don't have specifically add any validation creds as the root CA will be already in the pubcert folder.

      This problem is weird.

       

       

      • JoeMorganNTST
        JoeMorganNTST
        427 Posts
        ACCEPTED ANSWER

        Re: Datapower as web service Client

        ‏2013-11-01T19:55:12Z  in response to dplearner444

        But didn't you say:

        I captured packet trace and identified that the certificate length sent by Datapower is zero and same has been confirmed by our vendor.

        DataPower *should not* be *sending* a cert in one-way SSL.  All you should need to do is validate the one sent by the back-end server.  You'll still need the validation credential.

         

        • dplearner444
          dplearner444
          10 Posts
          ACCEPTED ANSWER

          Re: Datapower as web service Client

          ‏2013-11-04T15:07:11Z  in response to JoeMorganNTST

          Its not a mutual SSL as I can open the vendor URL after installing the cert on my browser.

          Vendor is expecting datapower to provide the client certificate of the vendor so that they can authenticate us.

           

          • JoeMorganNTST
            JoeMorganNTST
            427 Posts
            ACCEPTED ANSWER

            Re: Datapower as web service Client

            ‏2013-11-04T15:35:21Z  in response to dplearner444

            Are there 2 different vendors in the above statement?

            Vendor is expecting datapower to provide the client certificate of the vendor so that they can authenticate us.

            I'm a bit lost.  You're saying you're not doing mutual SSL, but then you're saying you have to provide a cert.  Let's break it down.

            In normal SSL, you initiate a secure connection to the vendor, they send their certificate, you validate and the process moves forward.

            In mutual-SSL, you initiate a secure connection to the vendor, they send they certificate, you validate, they ask for your certificate and they validate who you are.  So, if they are asking you to provide a cert so they can validate you, and datapower is the client, then you are doing mutual-SSL. 

            (Caps for emphasis)  It makes absolutely no sense for *THEM* to ask *YOU* for *THEIR* certificate so *THEY* can validate who *YOU* are.  If you can do that, then their certificate is compromised, and there is no validation for either side.

            Joe

            Updated on 2013-11-04T15:37:13Z at 2013-11-04T15:37:13Z by JoeMorganNTST