I would like to know whether is there any way in Datapower to connect remote backends without explicit use of Proxy Profile o SSL Client Profile?

In other words, acting as web browsers where is not necessary to tell web browser which certificate(s) is(are) required to use in order to connect to a secure connection?

I appreciate any information or link related to this and justify to managers and chiefs that use explicit of certificates are correct or not in Datapower due to a problem we are facing now.

Regards

Hi,

I think you always have to define the client profile but not necessarily the certificates. You can create a TLS Client profile without id or validation credentials, or in other words you don't have to explicitly specify the certificates.

--HP

Hi:

Do you have any IBM documentation about your response? I'll try this and thank you.

Regards

It isn't stated explicitly but if you look at the configuration and the documentation in IBM Knowledge center you can see that id and validation credentials are optional.

https://www.ibm.com/docs/en/datapower-gateways/10.0.1?topic=profiles-creating-tls-client-profile

--HP

Hi

I have developed a few tests without validation credentials and all of them work well, but I want to know deeper about how does Datapower obtain the right certicate to use during handshake? Is there a truststore inside Datapower where global CAs are located?

Regards

Can you specify what you mean by "obtain the right certificate"? Client certificate is only used in handshake if the server is enforcing client authentication. Server certificate is validated if you want to enforce validation. Otherwise you are just doing a "normal" handshake.

--HP

Hi again:

Reading next link https://www.ibm.com/support/pages/public-certificates-and-datapower-gateway public CA were removed from pubcert: in Datapower. In the newest versions of Datapower were public CA are located? Or is mandatory upload all manually?

Regards

In other words, is there a truststore in Datapower with all public Root certificates?

Hi,

seems that the public certs have been completely moved. I am not absolutely sure about this because I have been using Docker form-factor for the past four years and I don't have any access to other types of DataPower environments. At least for Docker there aren't any public certs available in the latest V10 firmware version. Anyways, I have always uploaded the certs that I have needed. Never used the ones that IBM had supplied.

--HP