Set Up Mutual Authentication Between API Server and API Gateway

Layer7 API Gateway
 requires that you set up mutual authentication between API Server and API Gateway based on a public key infrastructure (PKI).
lac53
Layer7 API Gateway
 requires that you set up mutual authentication between API Server and API Gateway based on a public key infrastructure (PKI). Mutual authentication provides last-mile security and trust between API Gateway and 
Layer7 Live API Creator
. The API Gateway and 
Layer7 Live API Creator
 administrators set up mutual authentication between API Server and API Gateway.
Use the following process to set up mutual authentication:
  1. The Gateway administrator creates a public/private key pair to be used by API Server.
    The single-user demonstration package of 
    Layer7 Live API Creator
     that is based on Jetty contains a default key pair. This key pair is available from the 
    <
    Layer7 Live API Creator
     Installation folder>/CALiveAPICreator/etc
     directory. This demonstration package includes a default keystore with 
    Password1
     as the password for the keystore and the 
    lacssl.p12
     private key file.
  2. The Gateway administrator adds the API Server public key to API Gateway keystore.
  3. The Gateway administrator exports the Gateway public key.
  4. The 
    Layer7 Live API Creator
     administrator configures the API Server for mutual authentication by completing the following:
    1. Configures API Server for Secure Sockets Layer (SSL) and Hyper Text Transfer Protocol Secure (HTTPS).
    2. Imports the public/private key pair to API Server's keystore.
    3. Imports API Gateway's public key to API Server's keystore.
    For more information, see Configure API Server for Mutual Authentication.
In this article:
 
 
Create API Server's Public/Private Key Pair
You can create the public and private keys for API Server using API Gateway or alternative tools, such as OpenSSL. The following procedure describes how to create the pair using API Gateway.
  1. Open the Policy Manager and connect to the Gateway.
  2. Go to Tasks, Manage Private Keys.The Manage Private Keys window opens.
  3. Click 
    Create
    .The Create Private Key window opens.
  4. Enter an alias name for the API Server's public/private key pair (for example, lacssl), and then click 
    Create
    .
API Server's public/private key pair is created and displays in the list on the 
Manage Private Keys
 window.
Export API Server's Private Key
Export API Server's private key if the public/private key pair for API Server is created in API Gateway.
API Server's keystore requires the API Server's public/private key pair. Export the private key so that you can add it to the API Server keystore.
  1. In the Policy Manager, click 
    Tasks
    "Certificates, Keys, and Secrets"
    Manage Private Keys
    .
    The Manage Private Keys window opens.
  2. Select your API Server's public/private key pair, and then click 
    Properties
    .
    The Private Key Properties window opens.
  3. Click 
    Export Key
    .
    The Enter Export Passphrase window opens.
  4. Enter the password you want to use to protect your private key, and then click 
    OK
    .
    If you want to configure API Server for SSL on 
    Layer7 Live API Creator
     when you import this key into your Apache Tomcat keystore, enter the same password as you use as your Tomcat keystore password.
    For more information about how to import API Server's private key into your Tomcat keystore, see Configure API Server for Mutual Authentication.
    The Save As dialog opens.
  5. Enter a file name for this private key (for example, 
    lacssl.p12
    ), and then click 
    Save
    .
  6. Close the 
    Private Key Properties
     window by clicking 
    Cancel
    .
The API Server's private key is exported.
Export API Server's Public Key
Complete this procedure if you are configuring mutual trust between API Server and multiple API Gateway servers.
You do not need to complete this procedure if you are setting up the same API Gateway used to create the API Server's public/private key pair for mutual authentication.
  1. In the Policy Manager, click 
    Tasks
    , "
    Certificates, Keys, and Secrets
    ", 
    Manage Private Keys
    .
    The Manage Private Keys window opens.
  2. Select your API Server's private/public key pair, and then click 
    Properties
    .
    The Private Key Properties window opens.
  3. Click 
    View Certificate
    .
    The Certificate Properties window opens.
  4. Click 
    Export
    .
    The Save certificate dialog opens.
  5. Enter a file name for this public key (for example, 
    lacssl.pem
    ), select 
    PEM
     as the file format, and then click 
    Save
    .
  6. Close the Certificate Properties window by clicking 
    Close
    .
  7. Close the Private Key Properties window by clicking 
    Cancel
    .
API Server's public key is exported.
Export API Gateway's Public Key
Enable API Server to authenticate API Gateway based on API Gateway's client certificate by exporting API Gateway's certificate. The certificate contains the public key.
  1. In the Policy Manager, select 
    Tasks
    , "
    Certificates, Keys, and Secrets
    ", 
    Manage Private Keys
    .
    The Manage Private Keys window opens.
  2. Select your API Gateway Server's private/public key pair, and then click 
    Properties
    .
    The Private Key Properties window opens.
  3. Click 
    View Certificate
    .
    The Certificate Properties window opens.
  4. Click 
    Export
    .
    The Save certificate dialog opens.
  5. Enter a file name (for example, 
    gateway1.pem
    ), select 
    PEM
     as the file format, and then click 
    Save
    .
  6. Close the Certificate Properties window by clicking 
    Close
    .
  7. Close the Private Key Properties window by clicking 
    Cancel
    .
  8. Close the Manage Private Keys window by clicking 
    Close
    .
API Gateway's public key (a second .pem file) is created and exported.
Next Steps
You must configure mutual authentication by importing the gateway's public key into API Server. This step is part of configuring API Gateway for mutual authentication.
For more information about how to configure API Gateway for mutual authentication, see Configure API Gateway for Mutual Authentication.