Contents
Whenever the API Gateway receives an X.509 certificate, either as part of the SSL handshake or as part of the XML message itself, it is important to be able to determine whether that certificate is legitimate or not. Certificates can be revoked by their issuers if it becomes apparent that the certificate is being used maliciously. Such certificates should never be trusted, and so it is very important that the API Gateway can perform certificate validation.
The API Gateway uses the following methods/protocols to validate certificates:
OCSP - Online Certificate Status Protocol
OCSP is an automated certificate checking network protocol. The API Gateway can query the OCSP responder for the status of a certificate. The responder returns whether the certificate is still trusted by the CA that issued it.
CRL - Certificate Revocation Lists
A CRL is a signed list indicating a set of certificates that are no longer considered valid (i.e. revoked certificates) by the certificate issuer. The API Gateway can query a CRL to find out if a given certificate has been revoked - if the certificate is present in the CRL, it should not be trusted.
XKMS - XML Key Management Services
XKMS is an XML-based protocol for (amongst other things) establishing the trustworthiness of a certificate over the Internet. The API Gateway can query an XKMS responder to determine whether or not a given certificate can be trusted or not.
The API Gateway can check that the validity of a client certificate using any of the following methods:
![[Note]](../common_oracle/images/admon/note.png) |
Note |
|---|---|
|
To validate a certificate using either an or CRL lookup, the issuing CA's certificate should be trusted by the API Gateway. This is because for a CRL lookup, the CA's public key is needed to verify the signature on the CRL, and for an OCSP request, the protocol stipulates that the CA's public key must be submitted as part of the request. The issuing CA's public key is not always present in issued certificates, so it is necessary to retrieve it from the API Gateway's certificate store instead. |
OCSP - Online Certificate Status Protocol
-
Enter or select a name for the validation rule in the Name field.
-
Select OCSP from the Type dropdown.
-
Optionally enter a description of the rule in the Description field.
-
Select a group of OCSP Responders from the URL Group field. The API Gateway will attempt to connect to the Responders in the selected group in a round-robin fashion. It will attempt to connect to the Responders with the highest priority first, before connecting to Responders with a lower priority. URL Groups can be added, edited, and removed by selecting the Add, Edit, and Remove buttons respectively.
Take a look at the Configuring URL Groups section below for more information on adding and editing URL groups.
-
Enter the user name of a User whose key will be used to sign status requests sent to the OCSP responder in the User Name field.
-
Enter the corresponding password for this user in the Password field.
-
If the OCSP Responder signs the OCSP response, and you wish to validate this signature, select the Validate Response checkbox.
CRL - Certificate Revocation Lists
-
Enter or select a name for the validation rule in the Name field.
-
Select CRL from the Type dropdown.
-
Optionally enter a description of the rule in the Description field.
-
Select a previously configured LDAP directory from the LDAP directory dropdown list, or add a new one using the Add button.
XKMS - XML Key Management Services
-
Enter or select a name for the validation rule in the Name field.
-
Select XKMS from the Type dropdown.
-
Optionally enter a description of the rule in the Description field.
-
Enter the URL of the XKMS Responder in the URL field.
-
Enter the user name of a User whose key will be used to sign status requests sent to the XKMS responder in the User Name field.
-
Enter the corresponding password for this user in the Password field.
The API Gateway can make connections on a round-robin basis to the URLs listed in a URL group, thus enabling a high degree of failover to external servers. URL groups can be configured by selecting the Add and/or Edit buttons.
The API Gateway will attempt to connect to the listed servers according to the priorities assigned to them. So, for example, let's assume there are two "High" priority URLs, one "Medium" URL, and a single "Low" URL configured. Assuming the API Gateway can successfully connect to the two "High" priority URLs, it will alternate requests between these two URLs only in a round-robin fashion. The other group URLs will not be used at all. If, however, both of the "High" priority URLs become unavailable, the API Gateway will then try to use the "Medium" priority URL, and only if this fails will the "Low" priority URL be used.
So, in general, the API Gateway will attempt to round-robin requests over URLs of the same priority, but will use higher priority URLs before lower priority ones. When a new URL is added to the group it is automatically given the highest priority. Priorities can then be changed by selecting the URL and clicking the Up and Down buttons.
Individual URLs can be added and edited by selecting the URL from the table and clicking on the Add and Edit buttons respectively.
The following fields should be completed:
-
URL:
Enter the full URL of the external server.
-
Timeout:
Specify the timeout in seconds for connections to the specified server.
-
Time:
Whenever the server becomes unavailable for whatever reason (maintenance, for example), no attempt will be made to connect to that server until the time specified here has elapsed. In other words, once a connection failure has been detected, the next connection to that URL will be made after this amount of time.
-
Username:
If the specified server requires clients to authenticate to it over 2-way SSL, a User must be selected here for authentication.
-
Password:
Enter the password for this user.
-
Host/IP:
If the specified server sits behind a proxy server, the host name or IP address of the proxy server must be entered here.
-
Port:
Enter the port on which the proxy is listening.
