Using API Gateway 9.3CR02 with OTK 3.6 and MAG 3.2
Policy/Encapsulated Assertion: OTK Require SSL (with Client Certificate)
We have developped en encap that deals on DMZ API Gateway with multi-factor authorization/authentication.
The underlying policy does check for client certificate as per xth authentication factor using "Require SSL/TLS with client Certificate".
If remote application is of "mobile" type, it also check for "MSSO Require Registered Device" and "OTK Require OAuth 2.0 Token".
Problem is that call to "MSSO..." in turn, call to "OTK Require SSL", which includes a "Require SSL/TLS with Client Certificate". This is where originates our problem.
This 2nd call to "Require SSL/TLS with client Certificate" will set "request.ssl.clientCertificate" to NULL but will indeed pass as if nothing was wrong.
Fix: check if "request.ssl.clientCertificate" is not already filled-in, case being we can skip "Require SSL or TLS" assertion
Is this correct behavior of "Require SSL or TLS" ?
It depends how that assertion is configured, but it may be the correct behaviour - yes. I'd recommend reviewing the documentation here and then let us know how your assertion is configured so that we can try to assess if it's valid behaviour or not: Require SSL or TLS Transport With Client Authentication Assertion - CA API Gateway - 9.3 - CA Technologies Documentation
Both assertions in our policy have obviously "Require Client Certificate Authentication" checked in as in our main loop we parse authentication factors type (ip, basic, ldap, cert, selkf-signed-cert, oauth, ...).
What is really puzzling is 2nd call to assertion returns "true" while nullyfing the request.ssl.clientCertificate variable.