Layer7 API Management

I'm trying to test a part of the OTK Toolkit that uses the standard 'Require SSL/TLS with Client Authentication'.  I can't seem to get SOAPUI to provide the client certificate.

SOAPUI apparently doesn't pick up a certificate from the system it's running on, my Windows laptop in this case, and getting a cert there can be a challenge in itself.  Here is the configuration I have applied.

I needed a certificate so rather than deal with all the command line complexity of openssl and such I used the API Gateway's 'Manage Private Keys' task to generate one (myuserid.mmm.com) for my user id, specifying it could be used to sign other certs.  As self signed is quite acceptable for my purpose I did not generate a CSR and send it to a CA.  I then exported this cert to a file, which the gateway does in PKCS12 format (myuserid.p12), exactly as I should need.  Note the only purpose for doing this with the gateway tasks was convenience. 

I then used the 'Manage Certificates Task' to add this certificate to the gateway store (let's say as myuserid.mmm.com and assigned it the 'Sign Client Certificates' attribute under options.  This should cause it to be included in the list, sent to a connecting client, of certificates the gateway is willing to accept in response to its client authentication request.  With that, the gateway should be adequately configured.

I then took the PKCS12 file (myuserid.p12) and used Java 1.8's keytool utility to generate a certificate store file (myuserid.jks).

keytool -importkeystore -deststorepass myuserpw -destkeypass myuserpw -destkeystore myuserid.jks -srckeystore myuserid.p12 -srcstoretype PKCS12 -srcstorepass myuserpw

In SOAPUI I have a project with a request to https://gatewaynam.mmm.com:8443//oauth/tokenstore/get.  In SOAPUI, under File - Preferences - SSL Settings - KeyStore I specified the location of the myuserid.jks file and assigned the password.  In the 'Request Parameters' of the project I was now able to see myuserid.jks in the drop down of the 'SSL Keystore' property, and selected it.  When I start SOAPUI (version 5.2.1) it looks like the keystore initializes. 

In the SOAPUI log I see "Tue Jun 14 08:31:14 CDT 2016:INFO:Initializing KeyStore".

And when I submit the request it looks like is accesses it:

Tue Jun 14 08:45:27 CDT 2016:INFO:Initializing Keystore from [X:\Software\Certificates and Signing Requests\3m\myuserid.jks]

Tue Jun 14 08:45:27 CDT 2016:DEBUG:Attempt 1 to execute request

Tue Jun 14 08:45:27 CDT 2016:DEBUG:Sending request: GET /oauth/tokenstore/get HTTP/1.1

Tue Jun 14 08:45:27 CDT 2016:DEBUG:Receiving response: HTTP/1.1 403 Forbidden

At the gateway we see the classic failure saying no client cert was provided.

Does anyone have any idea what I have to do to get SOAPUI to send the client certificate?

I do know that it isn't always straightforward to use a client cert in SoapUI. The way we usually do it, is select the keystore in the WS-Security configuration of the project (double click your project, WS-Security Configurations tab, Keystore subtab) which makes it available to be used as an SSL Keystore in the request properties.

But the message you are getting doesn't necessarily mean that SoapUI isn't properly configured. There are many other options why the gateway doesn't see your certificate. It can be a trust issue during the SSL handshake which causes SoapUI to choose not to send the cert because it's not signed by one of the trusted CA's advertised by the gateway, the gateway can reject the cert for some reason or there can be other handshake or SSL issues. I would probably set the io.debugSSL cluster property to true (gateway restart required) and then inspect the ssg log to see if the client certificate comes in during the SSL handshake and what happens with it.

Thanks.  Good idea turning on  io.debugSSL.  Still hasn't resolved the problem, but with that at least I can see what's being sent to the client.  I was trying to capture that with Wireshark but it wasn't showing me any http information.  It used to, but it upgraded itself since I used it last and now it doesn't.

So anyway, I can see the cert I'm trying to use is sent to the client.  (The names have been changed to protect the innocent.)

1. CN=myuserid.mmm.com

2. CN=*.cs21.my.salesforce.com, OU=Network, O="Salesforce.com, Inc", L=San Francisco, ST=California, C=US

And the list goes on.  #1 above is the cert I used to create the keystore for SOAPUI, and for some reason it is not sending it back in response to the gateway's request for a client certificate.  Perhaps it has something to do with the signing, notice it is not signed by any CA.  I did try the same thing with the gateway's own certificate (which is signed), but it did the same thing.

My good friend Stephen Hughes to the rescue!  I'm going to paraphrase some instructions from him here, because they guide you through the process.  In case anyone out there ever needs to do the same thing.

1. From within the Policy Manager:
   Manage Private Keys, click create key (Ensure that the CA capable is checked).  For example I just created a private key called "soapca".
2. Click create again.
   Same process, just a different name.  Create a private key named "soapclient".
3. Highlight the "soapclient" private key and click properties on the right side.
4. Click on Generate CSR button.
5. Save the file to a local filesystem.
6. From the Private Key window highlight your "soapca" key and click on Sign Cert. You are going to use this key to sign the client cert.
7. Find the CSR you just created for the testclient. Select all the defaults and save the certificate to the filesystem.
8. Again in 'Manage Private Keys', open the properties for the testclient and select replace certificate chain with the file you just saved from the signing process.
9. Exit the Manage Private Key window and select the Manage Certificate option.
10. Click Add
11. Select Import from Private Key Certificate Chain and pick the "soapca" private key.  This puts the signer in the gateway store.  For the certificate options select signing Client Certificates and for Configure Validation select "Trusted root".
12. Again in 'Manage Private Keys' select the "soapclient" key, properties, "Export Key".  This will create a ".p12" file you will store to the file system.  It will ask for a password, you DON'T HAVE to use one, it can be left blank.  For serious business you'd want to use one, but for our test it was just more hassle.
13. This should be all the certificate configuration you have to do from the gateway side to accept the cert you just created from the client.  To authenticate it you'll have to put it in a FIP.  More on that in a minute.

(Sorry, site crashed on me.)  Continuing on.

Now you have to add the "soapclient" cert to SOAPUI.  At least in version 5.2.1 you do this through 'File', 'Preferences', 'SSL Settings', 'Keystore' field.  Use the browse button to find the "soapclient.p12" file.  Again, if you didn't use a password when you generated the file you won't need one now.  Make sure you check "requires client authentication' at the bottom of this screen.

Check the gateway listener port you'll be addressing from SOAPUI.  It MUST have the "SSL/TLS Settings" tab, "Client Authentication" option set to either "Optional" or "Required".  Do this!  Ours got changed somehow and I made a fool of myself trying to get it to work with it set to "None".

That should be all you have to do to avoid the "No Client Certificate was present in the request." error.  Submit a request from SOAPUI to your published service containing the "Require SSL/TLS Transport with Client Authentication" assertion.  If you have the OAuth Toolkit installed sending a HTTP GET to '/oauth/tokenstore/get' works well for this test.

Depending on what you're doing, chances are, your service will still fail because it won't be able to authenticate the client cert.  Typically, this is done by putting the cert in a FIP.  Management of a FIP and using it for client auth is documented elsewhere, but again the instructions for installing the OAuth Toolkit provide a good example, under the "Configure Authentication" section.  Configure Authentication - CA API Management OAuth Toolkit - 3.3 - CA Technologies Documentation

The process is essentially the same for any client auth.  You create a FIP and add the client's certificate ("soapclient" in this example) to it.