How the crypto object is mapped on the runtime Gateway
When you need to reference a crypto object or certificate that is “infused” into the APIC framework, you can locate the name of the object or cert in the APIC generated domain of DataPower.
For example, if a user-defined policy is going to require a url-open extension function, which uses a SSL Proxy Profile, you will be able to find the name in the APIC generated domain SSL Proxy Profile, as shown in #2 in the diagram. Similarly, if you’re referencing a crypto key name in a user-defined policy, for example, you will locate the Crypto Key object name, and use that to reference as needed.
The suggestion when building a user-defined policy where you require crypto objects to be referenced, is to refrain from importing it with the user-defined policy. This is because there is no out-of-the-box support to manage those crypto object certificates easily.
The suggested approach, is to create a TLS profile on CMC, and ensure that the profile is marked with the
check dial enabled, so the profile may be used throughout the provider organizations. Once the TLS profile is created on CMC, it may be used by the user-defined policy, and it can be managed from the CMC, rather than user-defined policy process (exporting from DataPower and re-importing the policy into APIC).