CA API Gateway 9.1

9.4 9.1

Select a Custom Private Key

The following assertions can use custom private keys:
gateway83
The following assertions can use custom private keys:
  • Route via HTTP(S)
    : When using an HTTPS URL and the server sends a client certificate challenge, the Route via HTTP(S) assertion can now present a custom client certificate instead of using the standard 
    API Gateway
     SSL certificate as its client certificate.
    The 
    Select Private Key
     option is available only when routing to an HTTPS address. It is disabled for HTTP.
  • Sign Element
    : This assertion can use a custom private key to sign the response.
  • Add Timestamp
    : This assertion can use a custom private key when adding a signed timestamp.
  • Add Security Token:
     This assertion can use a custom private key when adding a signed security token.
  • Customize SOAP Fault Response
    : This assertion can use a custom private key for signing SOAP faults.
  • Build SAML Protocol Response
    : This assertion can use a custom private key for signing the response.
  • Create SAML Token:
     This assertion can use a custom private key for the signed SAML token. 
The three signing assertions (Sign Element, Signed Timestamp, Signed Security Token) should use the same private key if they all target the same message and WSS recipient. The policy validator will warn you if the keys differ. 
To select a custom private key:
  1. Right-click the assertion in the policy window and then choose 
    Select Private Key.
     The Private Key Alias dialog is displayed.
  2. Configure the dialog as follows:
    Setting
    Description
    Use default private key
    Select this option to use the default
    API Gateway
     SSL or CA certificate to respond to a client certificate challenge from the server. For more information about default keys, see Private Key Properties.
    Use custom private key
    Select this option to use a custom private key to respond to a client certificate challenge from the server. Select the key below.
    Key
    From the drop-down list, select the custom key to use. The key must already be defined using the Manage Private Keys task. To jump directly to that task, click
    Manage Private Keys
    .
    If the assertion uses a private key that has since been deleted, you will receive a policy validator warning message and the Private Key Alias dialog will display
    '<keyname> in UNRECOGNIZED'
     in the Key drop-down list. If the policy is saved as-is, then the
    API Gateway
     will consult the
    keyStore.searchForAlias
     cluster property for the appropriate course of action during compilation time. Alternatively, you can select another custom private key to use.
  3. Click [
    OK
    ] when done.

Content feedback and comments