In an SSL Client Profile, in its Val Cred, if you select "Full certificate chain checking (PKIX)", in the Help you fill find this statement: "The complete certificate chain is checked from subject to root when using the validation credentials for certificate validation. Validation succeeds only if the chain ends with a root certificate in the validation credentials". So, DataPower expects the SSL Partner, the SSL Server, to include the Root in the chain.
In RFC 5264 The Transport Layer Security (TLS) Protocol Version 1.2
https://datatracker.ietf.org/doc/html/rfc5246#section-7.4.2certificate_listThis is a sequence (chain) of certificates. The sender's certificate MUST come first in the list. Each following certificate MUST directly certify the one preceding it. Because certificate validation requires that root keys be distributed independently, the self-signed certificate that specifies the root certificate authority MAY be omitted from the chain, under the assumption that the remote end must already possess it in order to validate it in any case.RFC 5264 says SSL Servers have the option to send the root or not.
DataPower appears to require it.
Is DataPower not compliant with RFC 5264 if it requires SSL Servers to send something RFC 5264 says is optional to send?
Follow on question:
What if another DataPower Service is the SSL Server. Going to that SSL Server Profile, to that Crypto Identification Credential we find:
a field for Crypto key
a field for Certificate
a field for your Intermediate Cert(s)
There is no field for the root cert. Make sense to me - RFC 5264 says SSL Servers do not have to send the root, so why should DataPower offer a field for it. But back to my original question! If DataPower as a Client requires SSL Servers to send the root when doing full chain checking, and DataPower can be a SSL Server to a DataPower SSL Client, where does IBM expect us to place the Root cert in that ID Cred?
------------------------------
Peter Potkay
------------------------------