tag:blogger.com,1999:blog-3712577241932959808.post1461768789265871158..comments2024-01-30T02:01:51.326-06:00Comments on Integration Yay!: DataPower: How to configure SSL mutual authentication?Bruno R Neveshttp://www.blogger.com/profile/06753136071159835651noreply@blogger.comBlogger45125tag:blogger.com,1999:blog-3712577241932959808.post-68175706811430800532024-01-30T02:01:51.326-06:002024-01-30T02:01:51.326-06:00Hi bruno
Does the above explanation is also for t...Hi bruno<br /><br />Does the above explanation is also for the new server profile. If not then how to implement mutual authentication using server profileAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-3712577241932959808.post-18985206309495090282023-07-17T08:00:40.611-05:002023-07-17T08:00:40.611-05:00Blogs and articles contribute to building an onlin...Blogs and articles contribute to building an online presence and establishing authority in a particular field. <a href="https://www.party.biz/blogs/199312/273967/things-to-consider-while-using-free-internet/" rel="nofollow">Things To View While Using Free Internet</a> They can help individuals or businesses gain recognition and credibility within their respective industries.Itainoreply@blogger.comtag:blogger.com,1999:blog-3712577241932959808.post-89653708750119059162018-07-17T20:44:04.220-05:002018-07-17T20:44:04.220-05:00Hi Bruno,
I am having an issue with Datapower bei...Hi Bruno,<br /><br />I am having an issue with Datapower being a client and traffic is over SSL. I have configured SSL proxy profile, and the direction is forward, with val cred configured. The handshake fails and the team of the server that I am connecting is claiming that the server SSL certificate is not in Intermediate or root CA. can you pleas let me know how to over come this issue. Sridharhttps://www.blogger.com/profile/10177978380661573647noreply@blogger.comtag:blogger.com,1999:blog-3712577241932959808.post-73646530970005062582018-01-29T03:42:16.002-06:002018-01-29T03:42:16.002-06:00Thank you Bruno, found the process to implement in...Thank you Bruno, found the process to implement in WAF service.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3712577241932959808.post-26767071488138348242018-01-19T10:12:31.316-06:002018-01-19T10:12:31.316-06:00Did those changes help you? For more information o...Did those changes help you? For more information on the WAF service, please visit https://www.ibm.com/support/knowledgecenter/SS9H2Y_6.0.0/com.ibm.dp.xs.doc/waf_introduction.htmlBruno R Neveshttps://www.blogger.com/profile/06753136071159835651noreply@blogger.comtag:blogger.com,1999:blog-3712577241932959808.post-87630242888060472202018-01-18T05:57:05.127-06:002018-01-18T05:57:05.127-06:00Thanks for the update Bruno, I've enabled GET ...Thanks for the update Bruno, I've enabled GET method,Pass-through and added the certificate for handshake as well. I don't have any idea on WebApplication Firewall I'll check that once.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3712577241932959808.post-23205154117897976802018-01-17T14:43:51.928-06:002018-01-17T14:43:51.928-06:00Okay, there could be multiple reasons for your pag...Okay, there could be multiple reasons for your page not showing up when you configure a MPGW to act as a proxy, if you enable debug log level you could find some hints there. A few things I can remember at the top of my head though... Make sure your HTTP Handler has the GET method enabled, that your MPGW is set to Pass-through on both Request and Response directions, and if you internal site has SSL certificates configured, that you configure at least an SSL Client Profile to handle the connection handshake for you.<br /><br />Also, maybe a better service for you to use here instead of the MPGW, would be the Web Application Firewall. Have you considered using that?Bruno R Neveshttps://www.blogger.com/profile/06753136071159835651noreply@blogger.comtag:blogger.com,1999:blog-3712577241932959808.post-69167384434005501052018-01-11T23:02:59.006-06:002018-01-11T23:02:59.006-06:00Hi Bruno, I'm using Multi-protocol Gateway for...Hi Bruno, I'm using Multi-protocol Gateway for this. The use case is like my datapower is in DMZ and I want to expose the site which is running in our local domain. So just to expose that site to out side world I'm doing this.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3712577241932959808.post-3355977436279324732018-01-11T14:52:22.778-06:002018-01-11T14:52:22.778-06:00Sorry it took a little longer to get back to you t...Sorry it took a little longer to get back to you this time, crazy days here! Can you clarify which DataPower service are you using for this then, is it a Multi-Protocol Gateway, a Web Service Proxy, an XML Firewall? DataPower here is positioned between your client and the website, correct? What is the use case, why are you using DataPower to proxy the website?Bruno R Neveshttps://www.blogger.com/profile/06753136071159835651noreply@blogger.comtag:blogger.com,1999:blog-3712577241932959808.post-6944793001464671752018-01-09T01:37:51.711-06:002018-01-09T01:37:51.711-06:00Hi Bruno, Thanks for your reply. Instead of saying...Hi Bruno, Thanks for your reply. Instead of saying web service proxy I'm trying to make a site proxy(running on HTTPS). Since it is a site i'm not sending any data to Datapower and yes I'm able to get the certificate from the backend server.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3712577241932959808.post-71790575289348580882018-01-08T11:25:00.419-06:002018-01-08T11:25:00.419-06:00Hi Ajay, there could be many reasons for both of t...Hi Ajay, there could be many reasons for both of those errors to show up. Assuming you are talking about a Web Service Proxy service, an "Internal Error (from client)" error usually means that the payload you are sending to DataPower is not passing the schema validation, again, usually, there could be other reasons. How are you sending data to DataPower? Now as for the "Failed to establish a backside connection", that is another error happening during the handshake from DataPower and the backend server. Are you able to retrieve the certificate from the backend server when you hit its URL from your browser?Bruno R Neveshttps://www.blogger.com/profile/06753136071159835651noreply@blogger.comtag:blogger.com,1999:blog-3712577241932959808.post-2675528667703290352018-01-08T04:28:38.005-06:002018-01-08T04:28:38.005-06:00Hi Bruno,
I've a scenario to make a URL runnin...Hi Bruno,<br />I've a scenario to make a URL running on https needs to be proxy at datapower. For this I've created Frontside HTTPS handler and an SSL proxy profile in two way direction, Created Forward crypto profile with Validation and Reverse crypto profile with Identification (Both with Client Authentication is Optional OFF,Always Request Client Authentication OFF). All the configrations are up and running. When I tried to open the datapower provided URL it is an fault error saying "env:Client Internal Error". In the datapower logs it saying "Failed to establish a backside connection , Cannot establish SSL credentials (credential is NULL)". Please gide me how to overcome this issue.<br />Thanks in advance.<br />Ajay.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3712577241932959808.post-8491560867277528042017-01-26T10:54:49.242-06:002017-01-26T10:54:49.242-06:00Thanks for you feedback and insight Bruno. We'...Thanks for you feedback and insight Bruno. We're considering the use of different Ports on the same IP for both of the FSHs.<br /><br />Have a great day too.Portuguesedannyhttps://www.blogger.com/profile/12277196404465218265noreply@blogger.comtag:blogger.com,1999:blog-3712577241932959808.post-82161898981670391862017-01-26T10:13:51.302-06:002017-01-26T10:13:51.302-06:00Thanks, Daniel!
I am afraid it is not possible to...Thanks, Daniel!<br /><br />I am afraid it is not possible to have two (or more) FSHs listening on the same IP/Port combination. This combination has always to be unique across the box. It is possible though to have multiple FSHs listening to the same Port, but with different IP addresses. We did that for a client a few years ago when their requirement was to host multiple lower environments in the same box.<br /><br />Have a good day!<br />BrunoBruno R Neveshttps://www.blogger.com/profile/06753136071159835651noreply@blogger.comtag:blogger.com,1999:blog-3712577241932959808.post-3903672014144122672017-01-26T06:27:48.046-06:002017-01-26T06:27:48.046-06:00Hi Bruno,
Great article.
Quick question, is it p...Hi Bruno,<br />Great article.<br /><br /><br />Quick question, is it possible to have two FSH for the same Message Policy that both listen to the same IP and Port?<br /><br />I'm guessing they must at least have a different one of either!<br /><br />Obrigado<br />DanielPortuguesedannyhttps://www.blogger.com/profile/12277196404465218265noreply@blogger.comtag:blogger.com,1999:blog-3712577241932959808.post-91434512640605592412016-04-14T09:44:41.762-05:002016-04-14T09:44:41.762-05:00Your configuration seems to be okay, but yes, shar...Your configuration seems to be okay, but yes, sharing the DataPower certificate with your clients is still required, because they will use that to encrypt the data before they send it to DataPower. If they have access to your DataPower endpoint they can grab this certificate themselves, without requiring you to manually send them by email, etc... They can use a browser to hit your DataPower endpoint and they could use the export certificate function from the browser.<br /><br />To validate whether DataPower is enforcing the client certificate (it can require it and still be optional if it is not configured well) or not, from your browser hit the DataPower endpoint and see if there is a pop up asking you to select your personal certificate. Cancel that pop up without specifying any certificate, and then see if the connection fails. If it does fail you should be good. Then try again selecting a certificate that matches a certificate in the Validation Credentials (you may have to restart your browser to see that pop up again). The connection should succeed this time.<br /><br />Good luck, let us know if you have any further questions!Bruno R Neveshttps://www.blogger.com/profile/06753136071159835651noreply@blogger.comtag:blogger.com,1999:blog-3712577241932959808.post-57910016055635870242016-04-14T04:15:25.786-05:002016-04-14T04:15:25.786-05:00I have some confusion regarding ssl profile setup....I have some confusion regarding ssl profile setup.<br />We just got the below setup from third party vendor.<br /><br />When Data Power is accepting the Client requests We have configured the reverse proxy and in this case we have set up both identification credentials and Validation credentials.Identification credential has the DP key as well as the signed certificate. Validation credentials has the client certificate whom ever trying to access the service from Data Power.Do we really need to share the Data Power certificate with the Clients in case of reverse proxy?<br />Unknownhttps://www.blogger.com/profile/05014182534883248726noreply@blogger.comtag:blogger.com,1999:blog-3712577241932959808.post-6789858687158009232015-12-18T09:32:27.233-06:002015-12-18T09:32:27.233-06:00Hey, I hope you are doing alright!
Okay, here it ...Hey, I hope you are doing alright!<br /><br />Okay, here it is what you are doing:<br /><br />- Have a SSL Forward Crypto Profile - Check<br />- IDCreds and ValCreds are configured in the Forward Crypto Profile - Check<br />- IDCreds contain DataPower certificate pair (private and public) - Check<br />- (I am assuming that you extracted the DataPower certificate pair (private and public) from the P12 file and converted them into 2 .pem files, as that is the format DataPower accepts. I am just not sure why you have a P12 to start with as DataPower generates .pem files in the Crypto Tools, unless you generated the certificate pair out of the DataPower box, then it would be okay)<br />- Salesforce need to add a copy of your public DataPower certificate into their trust store - Not sure if it is done<br />- You need to add Salesforce public cert or Root CA certificate into your ValCred - Not sure if it is done<br /><br />If you have done all the above, your SSL configuration should be alright. If even so you are still getting errors, make sure that there is connectivity to the server and port you are trying to connect to and that there is match in Ciphers used by both client and server.<br /><br />You can get other ideas by reading what Dan Zrobok wrote on Debugging DataPower TLS / SSL Errors at http://www.orangespecs.com/datapower-tls-ssl-errors/<br /><br />Your last resort would be a Packet Capture, then you would be able to tell for sure what is really going on.<br /><br />Good luck to you, debugging these issues are not always fun, specially if you don't have access to all tiers to make sure that everything is setup the way they should have been.Bruno R Neveshttps://www.blogger.com/profile/06753136071159835651noreply@blogger.comtag:blogger.com,1999:blog-3712577241932959808.post-17580580079085603092015-12-18T01:10:58.952-06:002015-12-18T01:10:58.952-06:00Hi Bruno
I am developing a web service in DataPow...Hi Bruno<br /><br />I am developing a web service in DataPower which is trying to connect the salesforce endpoint. The Salesforce endpoint is https secured with mutual authentication implemented.<br /><br />In order to make connection to SalesForce from DataPower service i would need to create SSL Forward profile with both ID Cred and Val cred. The ID cred would have data power cert private key as crypto key and data power cert as crypto cert. These key and certs can be extracted from P12 cert. The Val cred would have cert installed at salesforce end for mutual auth . Please advice if this SSL setting will work to establish the connectivity. Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3712577241932959808.post-78692852515212713052015-12-02T11:14:56.330-06:002015-12-02T11:14:56.330-06:00You wrote: So to understand this . Whenever Data p...You wrote: So to understand this . Whenever Data power is having empty validation(Certificate of calling server) credential in Forward crypto profile we are not checking the server at all. But still the SSL/TLS encryption will happen between DataPower and the calling server . Is my understanding correct?<br />My response: Just in a few rare case that I explained above it will be true. In most of the cases the connection should fail saying that the backend server is not trusted by DataPower.<br /><br />Whenever you try to access a TLS/SSL server, yes it will reply with its public key. You then try to validate whether this public key matches to the public you have stored in your ValCred.<br /><br />For more information on the SSL handshake I would recommend you to read this excellent article: http://blogs.msdn.com/b/kaushal/archive/2013/08/03/ssl-handshake-and-https-bindings-on-iis.aspx<br /><br />And just to be clear, all certificates contain a public key. The difference between a certificate and a public key is that the certificate not only contains the cryptographic material, but also some extra information regarding who the issuer is, the CA that signed the certificate itself, addresses, names, and of course, the public key. During the TLS/SSL handshake, the server always send its certificate (including the public key in it) as part of the Server Hello message.Bruno R Neveshttps://www.blogger.com/profile/06753136071159835651noreply@blogger.comtag:blogger.com,1999:blog-3712577241932959808.post-89732718037694487682015-11-26T00:43:45.474-06:002015-11-26T00:43:45.474-06:00Thanks Bruno,
So to understand this . Whenever D...Thanks Bruno, <br /><br />So to understand this . Whenever Data power is having empty validation(Certificate of calling server) credential in Forward crypto profile we are not checking the server at all. But still the SSL/TLS encryption will happen between DataPower and the calling server . Is my understanding correct?<br />And one more point i want to understand like. When ever Datapower is having the certificate in validation credential in forward crypto profile , is that certificate contains servers public key as well? i have checked many public certificate i have seen there is field call "public key" is that is so whenever the ssl handshake use to happen between client and server Server sends the public key along with the server Hello message.<br />Can you please help me out to understand those points.<br />Thanks for your help.Rakeshhttps://www.blogger.com/profile/15137950819511388507noreply@blogger.comtag:blogger.com,1999:blog-3712577241932959808.post-74192724315252776152015-11-17T12:08:56.586-06:002015-11-17T12:08:56.586-06:00Rakesh, I might be mistaken, but other than the ra...Rakesh, I might be mistaken, but other than the rare case I mentioned above, I don't see any other situation which doing this would help with something, as an empty validation credential basically means that DataPower is not validating any certificate at all.Bruno R Neveshttps://www.blogger.com/profile/06753136071159835651noreply@blogger.comtag:blogger.com,1999:blog-3712577241932959808.post-29987987116660781472015-11-16T13:08:39.589-06:002015-11-16T13:08:39.589-06:00Hi Bruno , thanks for your clarification. So we ca...Hi Bruno , thanks for your clarification. So we can create SSL Proxy profile with (Forward (Client) Crypto Profile) which is having no validation and identification credential. Even in real time i have seen that Forward (Client) Crypto Profile has been created without validation and identification credential. So particulary in that scenario what is the use of creating such ssl proxy profiles ? is that ssl proxy profile be ussl handshake . Can you please let me know.<br /> Rakeshhttps://www.blogger.com/profile/15137950819511388507noreply@blogger.comtag:blogger.com,1999:blog-3712577241932959808.post-89482438616911148762015-11-09T09:39:36.911-06:002015-11-09T09:39:36.911-06:00Hey Rakesh, this is a very good question! The only...Hey Rakesh, this is a very good question! The only reason why the Validation Credentials is not a required parameter in this scenario, is because the SSL/TLS standard does not require authentication of the server certificate. It is rare, but there are cases out there that the client is not required to validate the certificate sent by the server, like when the agreed-upon key exchange method is anonymous. See more details at https://www.ietf.org/rfc/rfc2246.txt.Bruno R Neveshttps://www.blogger.com/profile/06753136071159835651noreply@blogger.comtag:blogger.com,1999:blog-3712577241932959808.post-89832435451195549812015-11-08T23:42:28.152-06:002015-11-08T23:42:28.152-06:00Hi Bruno,
Need some help reagrding SSL proxy prof...Hi Bruno,<br /><br />Need some help reagrding SSL proxy profile (forward) in dataPower. When i am creating a ssl proxy profile direction - Forward , i am able to create it without validation credential i configured only "identification credential "and the object status also 'up' it's not giving any error also. But as i understand while creating a ssl proxy profile with direction (datapower acts as client) validation credential should be mandatory. <br />Can you please help me to understand this.Rakeshhttps://www.blogger.com/profile/15137950819511388507noreply@blogger.com