Topic
  • 3 replies
  • Latest Post - ‏2013-09-18T17:51:35Z by SriniDp
thotranh
thotranh
81 Posts

Pinned topic Datapower sends request outbound

‏2013-09-18T15:26:54Z |

I am still in the process of learning DataPower.

I have a scenario like this :

 

External Web Service <----------HTTP/SSL/443 ----   DATAPOWER in the DMZ <---------HTTP/80---------  Back-End Server to serve as a client

(typically, i work with the traffic in the opposition direction)

 

1/  Request to the external REST service going outbound through the Datapower

2/  Request stops at the DataPower

3/ DataPower sends a SSL-enabled HTTP request outgoing to an external WS .

The External WS has to be able to recognize and authenticate the DP's certificate (say, "myDP.pem").  Here's my setup:

1/ Multi GateWay Protocol

2/ BackendURL is set to the external WS URL (it's "backend", but actually going outbound)

3/ Configure User Agent in XML Manager :  Here's the part that I am still confused about . HOw do I configure such that DP will send its cert to the external service ? 

Is it configured via SSL Proxy Profile Policy tab ->  SSL Proxy Profile :

                  -- Assume it's a FORWARD Direction

                  -- Configure FORWARD client crypto profile with  Identification Credentials ?  

I read from the book that Identification Credentials is optional for SSL going outbound ? If it's optional, where do I actually specify the "DP cert" ?

PLEASE ADVISE or poitn me to the correct lesson the net to show me how to do this correctly.

Thanks

 

  • SriniDp
    SriniDp
    46 Posts

    Re: Datapower sends request outbound

    ‏2013-09-18T15:41:31Z  

    In Your case dp is acting as a client to external webservice. if you want to make secure connection with external service. You need to clear on below SSL configuration on the server side that is external service in your case.

    Is the external service is request a client authentication?

    If Yes, then it is mutual authentication, for that you need to have identification credentials which contains dp public and private key pair in it  and also validation credetials to verify the external certificate.

    If No, then it is not mutual authentication, then you dont need to have identification cred , only val cred is enough.

    You can configure SSL proxy profile with forward crypto profile .

    you will get better understanding you read about SSL in handbook.

     

    let me know if you need more.

     

    Thanks.

  • thotranh
    thotranh
    81 Posts

    Re: Datapower sends request outbound

    ‏2013-09-18T16:03:45Z  
    • SriniDp
    • ‏2013-09-18T15:41:31Z

    In Your case dp is acting as a client to external webservice. if you want to make secure connection with external service. You need to clear on below SSL configuration on the server side that is external service in your case.

    Is the external service is request a client authentication?

    If Yes, then it is mutual authentication, for that you need to have identification credentials which contains dp public and private key pair in it  and also validation credetials to verify the external certificate.

    If No, then it is not mutual authentication, then you dont need to have identification cred , only val cred is enough.

    You can configure SSL proxy profile with forward crypto profile .

    you will get better understanding you read about SSL in handbook.

     

    let me know if you need more.

     

    Thanks.

    THanks . It's a 2-way SSL (Client Authentication), so i guess I need both:

    User Agent COnfiguration ->  SSL Proxy Profile :

    1/  SSL Direction : FORWARD ?

    2/  Forward SSL Proxy Profile :

                 2a/  IDENTIFICATION CREDENTIALS configuration :

                                        Public - Private Key Pair   :  by sending this , the server will authenticate the Datapower with its cert ?                    

                 2b /   VALIDATION Credentials :   What certificates does this need to have ?

                              I don't get a public key / cert from the external server .  I guess i need a CA cert here only ?

    Please advise .  I read about SSL from the handbook, but it also takes me some time to get familiar with it .. From the book, i thought the Datapower , as the client, always needs to present its public key (cert) to the server no matter if it's ClientAuthentication being on or not ?  If it's just a 1-way SSL from DP -> Server, how does it present its cert without configuring the optional IDENTIFICATION CREDENTIALS ?

    This is the part that I think I'm still missing . Please help. Greatly appreciate your time

    Thanks

     

  • SriniDp
    SriniDp
    46 Posts

    Re: Datapower sends request outbound

    ‏2013-09-18T17:51:35Z  
    • thotranh
    • ‏2013-09-18T16:03:45Z

    THanks . It's a 2-way SSL (Client Authentication), so i guess I need both:

    User Agent COnfiguration ->  SSL Proxy Profile :

    1/  SSL Direction : FORWARD ?

    2/  Forward SSL Proxy Profile :

                 2a/  IDENTIFICATION CREDENTIALS configuration :

                                        Public - Private Key Pair   :  by sending this , the server will authenticate the Datapower with its cert ?                    

                 2b /   VALIDATION Credentials :   What certificates does this need to have ?

                              I don't get a public key / cert from the external server .  I guess i need a CA cert here only ?

    Please advise .  I read about SSL from the handbook, but it also takes me some time to get familiar with it .. From the book, i thought the Datapower , as the client, always needs to present its public key (cert) to the server no matter if it's ClientAuthentication being on or not ?  If it's just a 1-way SSL from DP -> Server, how does it present its cert without configuring the optional IDENTIFICATION CREDENTIALS ?

    This is the part that I think I'm still missing . Please help. Greatly appreciate your time

    Thanks

     

    1/  SSL Direction : FORWARD --> Yes, because dp is acting as client

     

    2/  Forward SSL Proxy Profile :

                 2a/  IDENTIFICATION CREDENTIALS configuration :

                                        Public - Private Key Pair   :  by sending this , the server will authenticate the Datapower with its cert --> Yes (Its dp identifaction to server)                

                 2b /   VALIDATION Credentials :   What certificates does this need to have ?( You can store server public cert if they provide you one or you can store the issuer or root cert of the server cert)

     

     I don't get a public key / cert from the external server .  I guess i need a CA cert here only ? You  an obtain server cert or ca cert from server url also if they dont provide you manually. You can acheive this

    --> by typing the server url in browser (its hard to explain here on how to get it, but by google you can do it easily)

     

    as the client, always needs to present its public key (cert) to the server no matter if it's ClientAuthentication being on or not ?  No, this is not true, client present its identification or cert only when server asks for it(This is is called Mutual Auth)

     

    Server cert has to be present always no matter what it is.

     

    If it's just a 1-way SSL from DP -> Server, how does it present its cert without configuring the optional IDENTIFICATION CREDENTIALS ? 

    1-way or 2-way is related dp configuration not ssl specification

     

    In SSL,  server always present its certificate to client even it wont ask for it, but client will only present its certificate if the server asks for it.

    If server ask for certificate then it is called mutual authetication, fisrt you need to check whether your server is asking for certifiate or not.

     

    You can find this by typing the server URL in browser, if the browser prompt for client cert, then it is mutual auth.If it so, then you need to configure identifiacation credentials in crypto profile. if not, then make id cred as empty.

     

    Let me know for more info.