How the crypto object is mapped on the runtime Gateway

When you need to reference a crypto object or certificate that is “infused” into the APIC framework, you can locate the name of the object or cert in the APIC generated domain of DataPower.

For example, if a user-defined policy is going to require a url-open extension function, which uses a SSL Proxy Profile, you will be able to find the name in the APIC generated domain SSL Proxy Profile, as shown in #2 in the diagram. Similarly, if you’re referencing a crypto key name in a user-defined policy, for example, you will locate the Crypto Key object name, and use that to reference as needed.

The suggestion when building a user-defined policy where you require crypto objects to be referenced, is to refrain from importing it with the user-defined policy. This is because there is no out-of-the-box support to manage those crypto object certificates easily.

The suggested approach, is to create a TLS profile on CMC, and ensure that the profile is marked with the 

check dial enabled, so the profile may be used throughout the provider organizations. Once the TLS profile is created on CMC, it may be used by the user-defined policy, and it can be managed from the CMC, rather than user-defined policy process (exporting from DataPower and re-importing the policy into APIC).

Validating the Present Cert

From the Crypto Certificate object section on DataPower, you may click on details to view the certificate properties to verify that certificate used is correct despite the renamed certificate file on DataPower. You may also go into the File Management section of DataPower under the cert:/// folder to verify the details.

Validating the Trust Store

To see the Trust Store certificate populated on the gateway, you will have to select the “Request and validate certificate againt the supplied CAs in the truststore."

As you can see I’ve uploaded testCertB into the Trust Store and enabled the Request and validate cert: