Verifying Hostnames for Outbound SSL Connections

Part of the SSL Trust behavior in the  is to ensure that the hostname in a server's SSL certificate matches the hostname used in the outbound SSL request. However, you can suppress this verification for testing purposes or for added flexibility in your production environment, if you are confident that allowing mismatched hostnames will not impair security.
gateway83
Part of the SSL Trust behavior in the
API Gateway
 is to ensure that the hostname in a server's SSL certificate matches the hostname used in the outbound SSL request. However, you can suppress this verification for testing purposes or for added flexibility in your production environment, if you are confident that allowing mismatched hostnames will not impair security.
The
API Gateway
 uses a two layer system to determine when hostnames should be verified:
  • the setting Verify Hostnames for Outbound SSL Connections in the [
    Validation
    ] tab of a certificate's properties
  •  the setting of the
    io.httpsHostVerify
    cluster property
    Hostname verification proceeds only when PKIX validation of the TLS server certificate has succeeded. If the server certificate is not trusted, the connection fails and hostname verification is not performed.
The hostname verification procedure applies to any assertion that performs outbound TLS; examples of such assertions include:
  • Exchange Credentials using WS-Trust
  • Route via HTTP(S)
  • Retrieve SAML Browser Artifact
  • Use WS-Federation Credential (both Request and Exchange modes)
The following diagram describes how the
API Gateway
 determines whether to use the certificate setting or the
API Gateway
 cluster property:
Verify Hostnames
Verify Hostnames
The following table describes each step in the process:
Flowchart step
Description
A.
Trusted Server Certificate
This is a certificate that is either issued by a trusted certificate authority, by another trusted certificate in the
API Gateway
, or has been added to the
API Gateway
trust store. Hostname verification can proceed only if the server certificate is trusted.
B.
In trust store?
Has the server certificate been added to the
API Gateway
trust store?
C.
Use option in certificate
If
B
is 'Yes', then use the hostname verification option from the trusted certiciate. The
io.httpsHostVerify
cluster property is not consulted in this case.
D.
Signed by another cert in trust store?
If
B
is 'No', then is the certificate signed
directly
by another certificate in the trust store?
E.
Is "Outbound SSL" selected?
If
D
is 'Yes', does the signing certificate have its "Signing Certificates for Outbound SSL Connections" option selected? This option appears in the Certificate Properties, under the [
Options
] tab.
F.
Use option from signing certificate
If
E
is 'Yes', then use the option from the signing certificate. The
io.httpsHostVerify
cluster property is not consulted in this case.
G.
Use setting from cluster property
If
D
or
E
is 'No', then use the
io.httpsHostVerify
cluster property setting.