Layer7 API Management

Expand all | Collapse all

OTK Require SSL problem

  • 1.  OTK Require SSL problem

    Posted 10-18-2018 08:55 AM

    Hi,

    Using API Gateway 9.3CR02 with OTK 3.6 and MAG 3.2

     

    Policy/Encapsulated Assertion: OTK Require SSL (with Client Certificate)

     

    We have developped en encap that deals on DMZ API Gateway with multi-factor authorization/authentication.

    The underlying policy does check for client certificate as per xth authentication factor using "Require SSL/TLS with client Certificate".

    If remote application is of "mobile" type, it also check for "MSSO Require Registered Device" and "OTK Require OAuth 2.0 Token".

     

    Problem is that call to "MSSO..." in turn, call to "OTK Require SSL", which includes a "Require SSL/TLS with Client Certificate". This is where originates our problem.

     

    This 2nd call to "Require SSL/TLS with client Certificate" will set "request.ssl.clientCertificate" to NULL but will indeed pass as if nothing was wrong.

     

    Fix: check if "request.ssl.clientCertificate" is not already filled-in, case being we can skip "Require SSL or TLS" assertion

     

     

    Is this correct behavior of "Require SSL or TLS" ?



  • 2.  Re: OTK Require SSL problem

    Posted 10-19-2018 05:52 PM

    It depends how that assertion is configured, but it may be the correct behaviour - yes. I'd recommend reviewing the documentation here and then let us know how your assertion is configured so that we can try to assess if it's valid behaviour or not: Require SSL or TLS Transport With Client Authentication Assertion - CA API Gateway - 9.3 - CA Technologies Documentation 



  • 3.  Re: OTK Require SSL problem

    Posted 10-20-2018 03:50 AM

    Both assertions in our policy have obviously "Require Client Certificate Authentication" checked in as in our main loop we parse authentication factors type (ip, basic, ldap, cert, selkf-signed-cert, oauth, ...).

    What is really puzzling is 2nd call to assertion returns "true" while nullyfing the request.ssl.clientCertificate variable.