Layer7 API Management

Expand all | Collapse all

Call restman service without client certificate

Jump to Best Answer
  • 1.  Call restman service without client certificate

    Posted 11-15-2016 04:13 AM

    Hi 

     

    I try to call the internal restman service of the Gateway without client certificate, but with SSL and basic authentication.

     

    This does not work since the client actually has a certificate available and sends it. Therefore the restman policy seems to ignore the basic authentication and, as a consequence, fails on the step "Authenticate request against internal identity provider".

     

    When I just change the order of the SSL options (see Screenshot with diff view) in the restman policy it works because the basic authentication is taken into account and the authentication is successful. But now, perhaps the certificate way works no more (haven't tried it). 

     

     

    Is there another way to make this work without modify the restman policy? Can I force the client to not send the client certificate?

     

    Thanks 

    Stephan



  • 2.  Re: Call restman service without client certificate

    Broadcom Employee
    Posted 11-15-2016 08:43 AM

    Hi stephan.burkard,

     

    How are you accessing the Restman service? i.e: browser, SOAPUI, etc. The server will request a client cert and typically provide you the option of selecting one.

     

    It seems like your user-agent may be remembering a previous choice to use the certificate. I tested in Firefox and the initial request is prompted to select my client cert, if I cancel this it will then move to the next branch and prompt for basic auth. 

     

    However if I selected to use a certificate, some browsers default to remembering this selection and will use it in subsequent requests which results in the failure authenticating against the IIP. You can try clearing the cache and/or using private browsing. 

     

     

    Regards,

    Joe



  • 3.  Re: Call restman service without client certificate

    Posted 11-15-2016 10:35 AM

    Hi dasjo02

     

    Thanks for your answer. And yeah, you're right. When I call the original restman policy with Chrome, I get the certificate choice, I can then cancel and then I get the basic auth window. When I enter the credentials it works. 

     

    However, my client is not a browser but actually a Layer7 gateway. I am calling the restman service of a gateway from another gateway (HTTP Routing Assertion).

     

    The gateway that acts as client sends the certificate with the request (just because it is able to do so) and therefore the basic auth is ignored. Therefore I asked if it is possible to force the client to not send a certificate (HTTP header or something similar). 

     

    Regards

    Stephan



  • 4.  Re: Call restman service without client certificate
    Best Answer

    Broadcom Employee
    Posted 11-15-2016 11:01 AM

    Stephan,

     

    To ensure that a client certificate is not transmitted, Right click on the HTTP Routing assertion and click on Select Private Key and change the radio button to Use no private key or connect to a port on the gateway not set to optional or required for Client Authentication (Example 9443).

     

     

    Sincerely,

     

    Stephen Hughes

    Director, CA Support



  • 5.  Re: Call restman service without client certificate

    Posted 11-15-2016 11:09 AM

    Hi Stephen

     

    Grrrrrrrrrrrrrrrrreat, thank you very much!!! Works perfect.

     

    I absolutely never, ever noticed that setting in its own dialog. 

     

    Regards

    Stephan



  • 6.  Re: Call restman service without client certificate

    Broadcom Employee
    Posted 11-15-2016 12:05 PM

    Stephan,

     

    Glad that it worked for you. Have a great evening.

     

    Sincerely,

     

    Stephen Hughes

    Director, CA Support