Manage Certificate Validation
The will verify whether certificates used for authentication and/or authorization are valid; the can also perform revocation checking for certificates. To enable revocation checking, use the Manage Certificate Validation dialog to define one or more revocation checking policies. These policies describe the strategies employed by to determine the revocation status of a certificate:
Layer7 API Gatewaywill verify whether certificates used for authentication and/or authorization are valid; the
Layer7 API Gatewaycan also perform revocation checking for certificates. To enable revocation checking, use the Manage Certificate Validation dialog to define one or more
revocation checking policies. These policies describe the strategies employed by
Layer7 API Gatewayto determine the revocation status of a certificate:
- by checking Certificate Revocation List (CRL)
- using Online Certificate Status Protocol (OCSP)
In either case, the URL for the CRL data or OCSP responder can be extracted from the certificate's URL or it can be a predefined URL.
Every certificate in the trust store can have its own revocation checking policy, or more simply, you can designate a default revocation checking policy that will be used for all trusted certificates.
Layer7 API Gatewaywill cache Certificate Revocation Lists for improved performance. It will try to fetch a fresh CRL one minute before the old one expires. The
pkix.*cluster properties can be used to configure the caching behavior. The cache is configured to use a stale CRL indefinitely while trying to get a new one. The initial attempt to load a CRL that has not yet been cached will block the caller. Subsequent attempts will use the cached value, even if it is stale.
If you do not intend to use the cached value when stale, set the
If you have identical certificates in a trusted store with different expiry dates, set the
trueto avoid CRL failure.
If a new CRL needs to be downloaded, one of the request threads will be used to do this, possibly increasing latency. The other threads will continue to use the old value without waiting. It is not possible to configure a local copy of the CRL or to manually prepopulate the download cache.
The Manage Certificate Validation dialog also lets you select the validation option for the following types of certificate usage:
- Identity Providers:For validation of users' certificates during authentication using the identity provider
- Routing: For validation of certificates presented by a server during request routing (i.e., HTTPS, FTPS)
- Other: For validating any other certificates (for example, LDAPS or non-routing assertions)
If mutual certificate security is required between the
Layer7 API Gatewayand the CRL host, you need to ensure that the
Layer7 API GatewaySSL certificate is trusted by the CRL host.
In order for the
Layer7 API Gatewayto validate certificate paths and check for revocation, it is necessary to have a starting point from which trust is established. This starting point is known as a
trust anchor. The
Layer7 API Gatewayrecognizes the following as trust anchors:
- Trusted certificates that have the [Certificate is a trust anchor] setting selected. This is located in the [Validation] tab of the certificate's properties. For more information on certificate properties, see Edit a Certificate. A certificate can also be flagged as a trust anchor when it is imported.
- The CA certificate belonging to theLayer7 API Gateway.
- Certificates located in the JDK trust store.
To manage certificate validation:
- In the Policy Manager, select[Tasks] > Certificates, Keys, and Secrets > Manage Certificatesfrom the Main Menu.The Manage Certificates dialog appears.
- Click [Certificate Validation].The Manage Certificate Validation dialog appears.
- Configure the dialog as follows:SettingDescriptionCertificate Validation OptionsDefine how theLayer7 API Gatewaywill perform validation for different types of certificate usage. Changes take effect immediately.
- Select a certificate type.For Identity Providers, the option specified here will be used only if the Identity Provider properties is set to "Use Default" for certificate validation
- Click [Properties].
- Choose how that certificate type should be validated:
Revocation Checking PoliciesBy default, theLayer7 API Gatewaydoes not check for certificate revocation. To enable revocation checking, define a revocation checking policy. You can create separate policies based on a variety of criteria, including the signing authority certificate, URL from the certificate for CRL/OCSP based on URL Regex matching, and Static URL manually entered for CRL/OCSP.
- Validate: Ensure that the certificate is valid and trusted.
- Validate Certificate Path: Ensure that the certificate path is valid to a trust anchor.
- Revocation Checking: Validate the certificate path and perform revocation checking according to the revocation checking policy.The validation options can also be accessed or set using these cluster properties:pkix.validation.identityProvider, pkix.validation.routing, pkix.validation.other.
- To add a new policy, click [Add] and then complete the Edit Revocation Checking Policy dialog. For
- To remove a policy from the list, select it and then click [Remove]. You cannot delete a policy if any trusted certificate is using that policy.
- To view or edit a policy, select it and then click [Properties]. For more information, see Edit a Revocation Checking Policy.
- Click [Close] when done.