Layer7 API Management

  • Private Community

  • 1.  No Client Certificate was present

    Posted Oct 29, 2015 05:02 PM


    I can't seem to get my gateway to use client authentication.  The first assertion in my service is "Require SSL or TLS Transport with Client Certificate Authentication", with all client auth options set to required.  All I can get back is "No Client Certificate was present in the request.".  I have the listener in use set to client authentication "optional" (I tried "required" and it doesn't even get to the service.).  I have the TLS version set to use 1.1 or 1.2.

     

    Not trusting my SOAPUI client to provide a certificate I tried hitting my service with a browser.  When I use the browser (Google Chome) to access a web site I know requires client auth it gives me a message asking to select my cert for client authentication.  No such message when I go after my gateway.  This is primarily why I don't think the gateway is send the request for client authentication as it should.

     

    Anyone have any ideas I haven't already tried?



  • 2.  Re: No Client Certificate was present
    Best Answer

    Broadcom Employee
    Posted Nov 04, 2015 01:04 PM

    Pete,

     

    The key pieces on this is the certificates assigned to having "Sign Certs" option in the Manage Certificates interface. During the SSL handshake the client will tell the gateway what TLS provider and cipher suites it can handle then the Gateway will align the TLS and pick the highest agreed upon Cipher. Also as apart of this handshake it will ask for a Client certificate and provide a trusted CA list of certificates based on certificates tagged with the Sign Certs option. The certificate in the list must be one of the issuer certificates used to sign the client certificate being used if not then the client will not provide any certificate for validation. Additional note that unless the certificate is self-signed you can not provide the client public certificate as part of this list.

     

     

    Sincerely,

     

     

    Stephen Hughes

     

    CA Technologies
    Director, CA Support



  • 3.  Re: No Client Certificate was present

    Posted Nov 04, 2015 02:14 PM

    I got it working!  The critical piece of information was this.

     

    “The certificate in the list must be one of the issuer certificates used to sign the client certificate being used if not then the client will not provide any certificate for validation. Additional note that unless the certificate is self-signed you can not provide the client public certificate as part of this list.”

     

    I was indeed including my specific personal cert, that is signed by the 3M CA.  I needed the 3M CA intermediate that signed it on the gateway.

     

    Thanks Steve, I don’t think we need our scheduled WebX now.



  • 4.  Re: No Client Certificate was present

    Posted Sep 27, 2018 08:48 AM

    Where do I find manage certificates interface on safari?



  • 5.  Re: No Client Certificate was present

    Posted Sep 27, 2018 10:31 AM

    Jake,

     

    When you say "Safari” I am assuming you are referring to using the web-based (aka thin-client) version of the Policy Manager, right? If so, then it'll be found at Manage > Certificates, Keys, and Secrets > Manage Certificates, per the documentation here: https://docops.ca.com/ca-api-gateway/9-3/en/security-configuration-in-policy-manager/tasks-menu-security-options/manage-certificates

     

    I hope the above helps you find how to get to the Manage Certificates section in Policy Manager, even if using the web-based version of it instead.