Friday, 29 April 2016

SSL Concept and Implementation in Datapower

When to create SSL Proxy with a SSL Direction as:
REVERSE: Create a Reverse Crypto profile when you need just front side handler. And in this case, create the Identification Credentials with the Crypto Key and Certificate of the DataPower box itself. Validation credential is mostly not required.
TWO-WAY: In this case, create a Front Crypto Profile along with the Reverse Crypto Profile. Forward Crypto Profile is needed to connect to a back-end server. For creating the Forward Crypto Profile, Identification credential are mostly not required. Validation Credentials will contain the actual certificate of the back-end to connect to.
FORWARD: Create a Forward Cryto profile as detailed above. A Forward Crypto profile alone will be created if the Front Side handler does not need to validate the request send from the client to the DataPower box. Mostly you will create a TWO-WAY proxy instead of just the FORWARD proxy.
More Stuff.
  • Data that is transmitted over SSL connections are encrypted by using session keys that are secured with public key cryptography. Public key cryptography requires a public key (store in the certificate) and a private key.
  • DataPower uses a Crypto Identification Credential to associate or match a public key and private key for use in cryptographic operation such as SSL.
  • DataPower uses Validation Credentials to validate digital signatures and received signatures. A Validation Credential is a list of certificate objects.
  • Crypto Profile associates a Crypto identification with a Crypto Identification credentials.

------------------------------------------------------------------------------------------------------------------------------------------------------------

SSL(Secure Socket Layer) is used for security over network. This blog explores implementation of SSL in Datapower along with basic concepts
SSL Concept:
Key Pair Generation:
Implementing SSL in Datapower
When Data power Acts as a client:
  • Upload certificate shared by server in cert/pubcert directory of Datapower File Management.
  • Create SSL proxy profile as shown below.This can be either referred in proxy settings or set dynamically using routing-ssl-profile variable
  • Server to which Datapower acts as client will share its certificate to Datapower(Client).
  • Using certificate shared, a crypto certificate object is created.
  • Crypto Validation credentials created using crypto certificate object will be included in crypto profile.
  • Crypto profile created will be used in Datapower as SSL proxy profile.
When DataPower Acts as Server
Create SSL proxy profile by following the steps shown below , it can be referred in any Front side handler that supports SSL(Example HTTPS)
  • Just like Crypto Validation credentials is created when datapower acts as client, Crypto identification credentials is created with combination of crypto key object and crypto certificate object.
Note: A TWO-WAY-SSL-Proxy-Profile contains two crypto profiles one refers crypto validation credentials evaluated in response (Datapower as client to Backend) and other one refers crypto Identification credentials used in request flow(When Datapower acts as  SSL server to front end systems).



7 comments:

  1. Hi Ramana,

    I am new to DP and I was going through your blogs, I see a difference in your blogs when compared to others blogs, you tried to give details of each DP objects as much as possible. Your blogs are very much useful.

    -Krishna Reddy

    ReplyDelete
    Replies
    1. Thanks for visiting my blog Krishna Reddy!!
      Please let me know if you required any other information on this.

      Delete
  2. Hi Ramana,

    I have few queries on REST implementation using DP, how to reach you?

    -Krishna Reddy

    ReplyDelete
  3. Please send your queries to ramana2909@gmail.com

    ReplyDelete
  4. Thanks...this blog is very useful for my interview purpose..now i am learning this technology ..thank you so much ramana garu

    ReplyDelete
  5. Hi Ramana ,
    amazing stuff mr.ramana, i was wondering when i seen the screen shots of every step, its shows ur passion ,dedication and patience. its awesome. recently i have changed my tech to DP ,if i have any queries can i reach through ur mail id ?
    Thank u

    ReplyDelete
  6. 0x80e0005a mpgw (MPGW_GBL_OutboundForwarder): Cannot establish SSL credentials (credential is NULL), URL: 'https://xxxxxxx/as/authorization.oauth2?client_id=pxa_ac_sai&response_type=code'.

    I try to use dynamic ssl profile setting. please can you advise.

    ReplyDelete