Datapower mutual authentication SSL/TLS debugger

When implementing mutual TLS 1.2 for some services on DataPower, we came to the conclusion that most developers have quite some issues with implementing it, more specifically using the wrong certificates and/or using the wrong version of SSL/TLS or cipher.

So as a solution I came up with a self service debugging tool for the developers. By sending a dummy request, developers can obtain information about the TLS connection. By sending some random content with a valid client cert (signed by the intermediate or root CA) on port 7777, the service returns the issuer and subject of their client certificate as well as the cipher. Based on that cipher it makes a guess at the SSL/TLS version they use and gives them an other port on which they can test again allowing only 1 version of TLS. So they can test the different ports (7775, 7776, 7778) and see whether or not they get a response allowing them to deduct what version of TLS they are using.

In the screenshot below you can see an example response on port the first port (supporting all versions of SSL/TLS).

I created this service using a multi protocol gateway with a custom xsl:

Which you can see below:

Author: Tom V.O.

Below you can find the required files to recreate this service, feel free to reuse this or modify it them to your needs
Here you can find an export of the multi protocol gateway and all the relevant objects

The required certs and keys for the DataPower

The archive with the clients certs in various formats

blogger

blogger

Curious to know more about this topic?

Working at i8c

i8c is a system integrator that strives for an informal atmosphere between its employees, who have an average age of approx 30 years old. We invest a lot of effort in the professional development of each individual, through a direct connection between the consultants and the management (no multiple layers of middle management). We are based in Kontich, near Antwerp, but our customers are mainly located in the triangle Ghent-Antwerp-Brussels and belong to the top 500 companies in Belgium (Securex, Electrabel, UCB, etc…).

Quality Assurance

i8c is committed to delivering quality services and providing customer satisfaction. That’s why we invested in the introduction of a Quality Management System, which resulted in our ISO9001:2000 certification. This guarantees that we will meet your expectations, as a reliable, efficient and mature partner for your SOA & integration projects.

i8c - ISO9001-2015

Also worth reading

AWS AppFlow: Streamlining SaaS Integrations with AWS Services

In today’s digital world, organizations are constantly looking for ways to streamline their workflows and improve their data management processes. One of the key challenges that organizations face is integrating their various software as a service (SaaS) applications with their data management systems. This is

Read More »

Apigee Scope Validation using OpenAPI Specification

In API security and management, we often use a lot of different security mechanisms to protect the requested resource behind the API Gateway. One of these mechanisms is the validation of scopes to authorize a client on a specific sub-resource of the API. Most of

Read More »