DataPower

  • 1.  SharedCert folder for CA Signer Certs

    IBM Select
    Posted Thu January 07, 2021 05:20 PM
    I would like to upload the Root and Intermediate signer certs for just the Certificate Authorities that we trust into the sharedcert folder.
    Then in each application domain that needs to reference these signer certs, create Crypto Certificate objects mapped to the corresponding certificate file in the sharedcert folder.

    If a SSL Client Profile's ValCred object needed the Root Cert for a particular CA, just use that domain's Crytpo Cert object that represents that Root Cert.
    If a SSL Server Profile's IDCred needed the Intermediate Cert for the CA that signed the cert that DataPower is presenting, just use that domain's Crytpo Cert object that represents that Intermediate.

    I like this design compared to what I see now which is the same signer certs uploaded all over the place with multiple Crypto Cert objects in each domain all for the same thing.

    Is this design sound from a security perspective?
    Is this design sound from a certificate management perspective?

    Does it scale? If hundreds of DataPower services on the same appliance across many different domains are all mapped to the same file in sharedcert will it work when thousands of connections per minute are being established, many of them needing to reference that one file?


  • 2.  RE: SharedCert folder for CA Signer Certs

    Posted Fri January 08, 2021 12:03 PM
    This is a sound design strategy Peter and it all looks good to me. Remember that if you update the certificate in the sharedcert folder, you will need to 'refresh' any object that refers to that cert. This can be done by disabling/enabling the object (I use a python script to find any referencing object and disable and enable it), or restarting the domains where these objects reside, or just restart your entire system. to ensure all objects have the latest metadata from certificate.
    --Charlie

    ------------------------------
    Charlie Sumner
    ------------------------------



  • 3.  RE: SharedCert folder for CA Signer Certs

    IBM Select
    Posted Fri January 08, 2021 02:11 PM
    Thanks Carlie.

    Another aspect is the single point of failure aspect.

    A. If hundreds of MPGs all rely on Crypto Cert objects that reference that one root cert in //:sharedcert its gonna be a bad day if someone accidentally deletes that file. Compare that to have that root cert here, there, everywhere across all the domains. Less impact if someone screws up and deletes the file.

    B. Is there some limit as to how many services on DataPower can all read that one root cert file concurrently? Compare that to have that root cert here, there, everywhere across all the domains. Less chance of hitting some contention limit, if there even is one.

    But, the operational efficiencies of having only single copies of the files can't be ignored. 
    How I wish IBM expanded this sharedcert folder to Objects like Crypto Certs, Load Balancer Groups, SSL Client Profiles, etc. It sucks having to create the same exact object so many times.


    I opened a Case with IBM asking about the access permissions to make changes to ://sharedcert and if there are any concerns with high volume concurrent read access to a single file in ://sharedcert. Will report back here.