Securing APIs is one the important aspect and for achieving that customers use different mechanisms like OAuth, JWT etc.  JWT is nowadays widely used mechanism for securely transferring information over the web (between two parties). It is being used for an authentication system and for information exchange as well. It uses crypto objects(keys/certificates) for signing and encryption.

Today we are going to see how in APIC SAAS environment we can push Crypto objects (Keys/Certificates) to Datapower Gateway and reference them in APIs to use with generate-jwt or jwt-validate gateway policy.  

We will be achieving this by creating TLS profile to push keys/certificates using API Manager and then reading the crypto objects pushed using gateway script in API by following naming convention as per how it gets created in Gateway as we don’t have access to Gateway (Datapower) as part of APIC SAAS.

Prerequisite:

·      IBM APIC SAAS Advanced Subscription (Gateway script not available in Standard one)

·      Certificate/Key Pair – To be used for jwt signing/encryption/decryption etc

Steps:

·      Login to your APIC SAAS instance. Click on Resources->Crypto Material

·      Then scroll to Keystore and click Create

·      Then provide Title of Keystore. Upload Private Key and Public Key(certificate) to keystore which is going to be used for JWT generation/validation. Click Save.

·      Once you have keystore created with required Key/Certifcates. Create a TLS Profile.

Click Create.

              Provide a Title, Keep version as default

       Select the Keystore created in above step from dropdown.

       Then Click Save.

·      Once TLS profile is created. We need to apply this to a Catalog to push it to Gateway.

Go to Manage->Select Catalog->Catalog Setting-> TLS Client profiles.

Click Edit and select TLS client profile created above.

This will push the Keys/Certificates to gateway.

The file names pushed get created in following format:

private-key file:    <apim-organization>_<catalog>_tlsp-<apim-tlsclientprofile>V<version>-key

public-cert file:  <apim-organization>_<catalog>_tlsp-<apim-tlsclientprofile>V<version>-ca-<sequence number>

<apim-organization> - It is provider organization name.

<catalog> - Catalog name where we applied TLS Client Profile

<apimtlsclientprofile> -    TLS client profile name with which it is created

<version> - Default is 1.0.0, can be seen while creating TLS profile

<sequence number> - This should 0 for keystore. It is incremental based on in case we add truststore file as well.

Note: It is seen some customers though rare keep crypto objects as per consumer orgs, In that case for dynamic reference you can create TLS client profile with same name as Consumer Org and in your gateway script later substitute <apimtlsclientprofile> with Corg name from API properties variable.

Below is sample gateway script to read the crypto objects pushed to Gateway via TLS profile. (Here we assume TLSProfile name same as Corg name, you can hardcode it if it’s only one profile across)

var orgname = context.get('api.org.name')

var catalogname = context.get('api.catalog.name')

var cOrgname = context.get('client.org.name')

// Public Certificate/Key

context.set('publiccert', orgname + "_"+ catalogname +"_tlsp-" + cOrgname + "V1.0.0-ca-0")

// Private Key

context.set('privatekey', orgname + "_"+ catalogname +"_tlsp-" + cOrgname + "V1.0.0-key") 

We can refer the variable set for public cert and private key later in generate or validate Jwt policy as show in below example.