Using Private Keys within the Gateway
Private keys that are stored in the gateway are used in many instances, most notably listen ports and policy assertions.
gateway83
Private keys that are stored in the
CA API Gateway
are used in many instances, most notably listen ports and policy assertions.Contents:
Private Keys in Listen Ports
The following default ports are configured when you set up the Gateway for the first time:
- 8080: Non-SSL port for request messages
- 8443: SSL port with Client Mutual Authentication set to optional for both Policy Manager access and request messages.
- 9443: SSL port with Client Mutual Authentication set to none for both Policy Manager access and request messages.
- 2124: SSL port with Client Mutual Authentication set to optional for inter-node communication
Configuring an SSL Private Key for a Port
When a listen port is configured to use a protocol with SSL, then the SSL/TLS Settings tab in the port's properties becomes available. In this tab, you can specify:
- Server Private Key:By default, the Default SSL Key is assigned to the port. You can select any other key from the drop-down list.
- Client Authentication:By default, this is set toNonefor newly created ports. Set this toOptionalorRequiredif client authentication is required in the policy.
- Enabled TLS Versions:Allows or limits the TLS versions that the inbound port supports.
- Enabled Cipher Suites:The order of the cipher suites is important, as the Gateway tries the cipher suites in the order listed. If the client does not support any of the cipher suites listed, then the SSL handshake fails.Refer "Inbound SSL Handshake Issues" in Troubleshoot for possible solutions to various SSL handshake issues.
Private Keys in Policy Assertions
Several assertions allow you to configure which Private Key to use. If you do not specify a key, the Gateway uses the Default SSL Key.
A Default SSL Key should have been defined as part of setting up the Gateway cluster. For more information, see option
2
("Create a new CA API Gateway database-->Set Up the Gateway Cluster" in Gateway Configuration Menu (Appliance).Route via HTTP(S) Assertion
In the Route via HTTP(S) Assertion, you can select the outbound private key by right-clicking the assertion in the policy window and selecting
Select Private Key
. In the Private Key Alias dialog that appears, you can choose to use the default private key, no private key, or a specific private key. The "Select Private Key" option is enabled only if the URL in the routing assertion is
https://
or a context variable was specified.One other area of note for SSL handshake configuration: you can set the SSL/TLS protocols and the enable cipher suites in the Connection tab of the assertion properties.
Other Assertions
Refer to Select a Custom Private Key for a list of the other assertions where you can select a custom private key.