Checking for the presence and validity of a Certificate using two different 'Require SSL' assertions

Document ID:  TEC1539984
Last Modified Date:  07/13/2017
{{active ? 'Hide' : 'Show'}} Technical Document Details

Products

  • CA API Management Gateway

Releases

  • CA API Management Gateway:Release:9.1.00

Components

  • API GATEWAY:APIGTW
Issue:

In Policy, some use cases may want to separate the ways in which the 'Require SSL' assertion handles the certificate. For example; the first branch of logic may check for the presence of the certificate, whereas the next branch checks again for the validity of that same certificate. 

 

Policy screenshot.PNG

 

The problem is, if an expired certificate passes the first branch (which only checked for the presence of a certificate), it would actually pass the branch later down the line that checks for the validity of the certificate. 

Cause:

The Gateway does this almost as a 'caching' mechanism to reduce the overhead of policy. As it has already checked for the certificate, it pulls the same details from before (where we didn't check for validity) and it actually passes through even though a certificate may not be valid and is expired. 

Workaround:

Instead of the second 'Require SSL' assertion checking for the validity, we can do a compare expression to check for the validity. The compare variable should look like the below: 

 

Compare.PNG

 

This compare expression will take the cert validity using a built in context variable and compare it against the gateway time; essentially checking the validity of it and ensuring it is not expired. 

Please help us improve!

Will this information enable you to resolve your issue?

Please tell us what we can do better.

{{feedbackText.length ? feedbackText.length : '0'}}/255

{{status}}

Not what you were looking for?

Search Again >

Product Information

Support by Product >

Communities

Join a Community >