DataPower, as many other gateways, can validate certificates via different standards depending on your requirements, as well as those of the systems, partners, and clients that will need to be secure as you are exchanging information.
As an example, DataPower supports three different “validation modes”; the command to set the validation mode:
- cert-validation-mode legacy: This mode is maintained for backwards compatibility. This is where validation credentials contain the exact peer certificate to match, or the certificate of the immediate issuer. These might be an intermediate CA or a root CA.
- cert-validation-mode pkix: The complete certificate chain is checked, from subject to root, with this validation credential for certificate validation.
- cert-validation-mode exact-match: The validation credentials contain the exact peer certificate to match.
Choosing which mode to standardize on may be a challenge depending on the industry and your security needs, but as a best practice, we recommend using PKIX.
When using PKIX, DataPower will verify that the client certificate is either matched exactly in the certificate list, or that a complete signer chain from the incoming cert, all the way to the root certificate authority, can be established. Since this is your primary method for verifying client identity, you should ensure that it is fully validated.
PKIX implies that you understand the signers of the clients. You need to include all the intermediates and root signer certificates. If you don’t, DataPower will reject the connection.
For more information for DataPower users, we recommend this link in the IBM Knowledge Center
If you would like to speak with an iSOA Trusted Advisor or engage our team for assistance please email us at info@isoagroup.com, or call us at 707-773-1198.