IBM DataPower Gateway¶
Tip
Before proceeding, verify that the machine is already created in Certificate Manager - SaaS. Also, ensure that you've completed the prerequisite configuration steps for the IBM DataPower Gateway machine.
You can provision certificates to IBM DataPower Gateway instances, allowing Certificate Manager - SaaS to upload certificate and private key files to the correct application domain and update the gateway objects that reference those files.
- Sign in to Certificate Manager - SaaS.
- Click Installations > Machines.
- Click the checkbox next to the IBM DataPower Gateway machine that you want to provision a certificate to.
- Click Provision a certificate.
-
From the Choose a certificate from the inventory field, begin typing the certificate name you want to provision. Click the certificate when you see it listed.
Verify that you've selected the correct certificate by reviewing the Subject DN, Validity, and Fingerprint.
-
In the Application Domain field, enter the name of the DataPower application domain where the certificate should be stored.
Note
The application domain must already exist on the DataPower Gateway. Leaving this field blank defaults to the
defaultdomain. -
In the Certificate Name field, enter the name for the CryptoCertificate object as it should appear in DataPower.
-
In the Key Name field, enter the name for the CryptoKey object as it should appear in DataPower.
-
In the Certificate File Path field, enter the file path where the certificate file should be stored in the DataPower file system.
Note
Example:
cert:///server.pem. The path must use thecert:///prefix for files in the certificate: directory. -
In the Key File Path field, enter the file path where the private key file should be stored in the DataPower file system.
Note
Example:
cert:///server-key.pem. The path must use thecert:///prefix for files in the certificate: directory. -
From the Certificate Usage Type drop-down, select the type of usage for this certificate:
- HTTPS Listener - For inbound HTTPS services
- Outbound TLS (Client) - For outbound connections to backend systems
- Signing Credentials - For signing operations
- Trust Anchors (CA Certs) - For trusted certificate authorities
- Management Interfaces - For the DataPower management interface
- Unbound Certificates - For certificates not currently referenced by any service
-
Based on your selection in the previous step, additional fields will appear:
For HTTPS Listener certificates:
- SSL Profile / Credential Name - Enter the name of the SSLServerProfile or SSLClientProfile object
- Identity Credential - Enter the name of the CryptoIdentCred object
- HTTPS Front-Side Handler - Enter the name of the front-side handler
- Listener Port - Enter the port number where the service listens
- Multi-Protocol Gateway - Enter the name of the gateway service using this certificate
For Outbound TLS (Client) certificates:
- SSL Profile / Credential Name - Enter the name of the SSLClientProfile object
- Identity Credential - Enter the name of the CryptoIdentCred object
For other certificate types:
The required fields will vary based on the usage type selected. Enter the appropriate DataPower object names that reference this certificate.
-
If you don't want the certificate to be pushed when you save, toggle the Push upon saving slider to No.
-
Click Save.
Want to schedule your provisions?
Schedule your provisions daily, weekly, or monthly. Learn more
After saving, the certificate is pushed to the DataPower Gateway and the configuration is saved. The certificate and private key files are uploaded to the specified domain, the referencing CryptoCertificate and CryptoKey objects are updated to point to the new files, and an installation is created on the Installations tab.
Configuration persistence
Certificate Manager - SaaS automatically saves the DataPower configuration after provisioning so changes persist across gateway restarts. TLS profiles, listeners, and services that reference the certificate are not modified during provisioning.
Limited Edition support
Certificate Manager - SaaS supports DataPower Gateway Limited Edition container images. When the Limited Edition restricts direct file downloads, Certificate Manager - SaaS automatically uses an alternative method to retrieve certificate data without accessing the file system.