Blog

Signer Groups and CRLs for API Security

By | Date posted: February 3, 2014

Signer Group for API SecuritySigner Groups and CRLs are the cornerstone of PKI management necessary for API Security. In asymmetric cryptography used for SSL, when an X.509 certificate is presented to a client or a server, a process of certificate chain validation establishes trust in the X.509 certificate and the public key that it represents.  Certificate chain validation requires intermediate and root certificates that are embedded in the client (e.g., a browser) or a server (e.g., an Apache server).  Additionally, if an X.509 certificate is compromised, through Certificate Revocation Lists (CRLs) or Online Certificate Status Protocol OCSP, certificates can be marked as revoked such that any entity presenting such certificates cannot be trusted.  Certificate validation through Signer Groups and revocation though CRLs or OCSP form the backbone of PKI management necessary for SSL, XML, SOAP and Big Data security.

In the tutorial, we will show how to enable and manage Signer Groups and CRLs rapidly for establishing APIs security using Forum Sentry API Gateway.

After you log into the web-based Forum Sentry administrative interface, expand Resources in the left hand navigation panel and select Signer Groups under PKI. A Default list of embedded root certificates are shown below.  Security Admins can create their own certificate chains as well.  For the signer group certificates, CRL policies or OCSP can be used to check the revocation status of intermediate or root certificates.

Forum Sentry API Gateway Signer Group Management

Forum Sentry provides a variety of mechanism to help determine whether the certificate being presented is revoked.  LDAP, Local Files, URLs, CDPs and XKMS can be used to establish validity of the X.509 being processed by Sentry for cryptographic operations.  For enhanced performance, Forum Sentry also provides granular caching capabilities of revocation lists.

API-Gateway-Forum-Sentry-CRL

For testing and prototyping purposes, it is convenient to use a self-signed certificate and ignore determining whether the X.509 being used is indeed trustworthy.  Using certification chain validation and revocation list is crucial in ensuring that the X.509 used for cryptography in SSL and other security operations represents that entities claimed by it and is still a valid, non-revoked certificate.

Related content:

Leave a Comment