Layer7 API Management

No client certificate was present in the request

Just to be absolutely clear here, you are using the "Require SSL or TLS Transport with Client Authentication" assertion, and it is on that assertion your audit log shows the result "No Client Certificate was present in the request."?

When you added the client's cert to your store did you open the options tab and select "Signing Client Certificates" check box?  As I understand it (and my understanding may not be complete), the client auth part of the protocol causes the server (your gateway) to send back to the client a list of certificates it will accept for client authentication.  I think it gets this list from the certificate store, where those entries have that option checked. 

Beyond that point it can get a little tricky.  This is information I got from support when I had a similar situation.  ""The certificate in the list must be one of the issuer certificates used to sign the client certificate being used.  If not then the client will not provide any certificate for validation. Additional note, that unless the certificate is self-signed you cannot provide the client public certificate as part of this list."

So for example, I think I once had the self signed user certificate in the store and I needed the signing certificate.

So I'd say make sure you have the "Signing Client Certificates" option checked and try it again.  If it still doesn't work, I may not know what I'm talking about, but I'll have to figure it out because I have a similar situation coming up real soon.

Simple idea on this is ... without going too much in details .. in order for  Mutual Authentication to work between gateway and client 1. client needs to export certificate from its private key and give it to gateway and 2. Gateway needs to export certificate from its own private key as well and share it to the client this way they will both trust each other .. or if you are talking about client mutual Authentication outbound. .. get a private key file from the end point customer which will need to be imported into the Gateway through the policy manager Manager. This file will be imported to  Tasks - > Manage Private Keys then selecting "Import". You will need to enter the password set by the end point customer for the .p12 (private key) file. Once you have imported the .p12 file, you will now need to edit the HTTP routing assertion in the policy being used. Right click on the HTTP routing assertion and "Select private key". Choose from the drop down the private key you just imported and now the system will present the new keys when the SSL handshake occurs.

Hi Ajan,

Thanks for the reply. I did all that properly.My vendor is trying to access the service endpoints in the gateway from .net and php application. Is it that,  the way they are sending the cert to gateway is wrong. Do you have any idea on this ?

I am not sure how your 'vendor application' works but one of the ways

you can use FIP user to authenticate. for example

you have a browser on your laptop and you are hitting policy on gateway.

1. you would create FIP Identity provider on gateway with user 'JOHN'
2. now you would create a private key named JOHN

3. generate CSR value, signed it by CA certificate
4. go back to private key John, replace certificate chain by signed cert. that will import root cert ( CA Cert) and your signed JOHN cert
now go back to FIP identity provider > properties and add only root cert to it ( which tells it, trust any cert that comes in and signed by this root cert, as long as username and CERT CN value matches. ( our case JOHN)

5. now, export this private key

6. import it to a browser 

7. access the policy that has Require Cert SSL TLS assertion .. and Authenticate against FIP identity provider assertion
8. your browser should offer that private key and go through the policy

*****************

if you have more questions, you more question, you might wonna open a case with CA SUPPORT

NOTE: sorry if I misspelled something I was just brainstorming here ...

If you are still getting the 'No client cert present' errors, here's a quote from CA support that may help.

The key pieces on this is the certificates assigned to having "Sign Certs" option in the Manage Certificates interface. During the SSL handshake the client will tell the gateway what TLS provider and cipher suites it can handle then the Gateway will align the TLS and pick the highest agreed upon Cipher. Also as apart of this handshake it will ask for a Client certificate and provide a trusted CA list of certificates based on certificates tagged with the Sign Certs option. The certificate in the list must be one of the issuer certificates used to sign the client certificate being used if not then the client will not provide any certificate for validation. Additional note that unless the certificate is self-signed you can not provide the client public certificate as part of this list.

Beyond that, I think what was said earlier about the FIP is true, but you have to get beyond the Require SSL.. part before that does any good.  Right now I have a similar situation where I have the connection working and apparently getting a cert, but not having any luck confirming that by displaying its content in the audit.  If I get that working I'll let you know.

Thanks Paul, i did follow all that mentioned. Is there anyway we can do the testing at our end, without involving the vendor, just to ensure it is working ?

And also, you said that you are getting the cert, can you tell me how do i verify if am getting the cert or not at the gateway, any specific context variable to look for ?

I used an "Add Audit Details" to display ${request.ssl.clientCertificate.pem}, which is the only format I could find that would display as text.  But if you're still getting 'No client certificate ...' it's not going to have anything in it.  You have to get past that, and that's all controlled by the description I posted earlier.  If that's not working, there's something wrong with the cert exchange described there, like you don't have the right signing cert, don't have the 'sign client certs' option checked, etc.

Oh yeah, sorry, I was sort of taking for granted your network setting was allowing such things.  For the record, you shouldn't have to use "Required", in fact that can be a bit dangerous because it means that listener will ONLY work for things that can, and do, participate in client auth.  "Optional" should work for client auth and still allow things that may not support it, or where it's unnecessary.  I would use "Optional" and use the "Require SSL or TLS Transport with Client Authentication" assertion where I really needed client auth, but that's just my opinion, influenced by the nature of our operation.

In fact we've had applications where we had to give them a different port with client auth set to "None".  I'm a little fuzzy on the details of that, it's been a long time ago, but it seems we had some service requesting client auth but a client with an asynchronous process from a browser that didn't know what to do with the client auth request. (I think it popped up a message to the user, who was even more confused.)  The goofy part was that it seems if the client refused to participate (ergo setting the "None" option) the service disregarded the requirement.  Again, it was a long time ago.  I may not have all the details of that correct.

Name is Pete by the way.  StPaul is a city.