I try to call the internal restman service of the Gateway without client certificate, but with SSL and basic authentication.
This does not work since the client actually has a certificate available and sends it. Therefore the restman policy seems to ignore the basic authentication and, as a consequence, fails on the step "Authenticate request against internal identity provider".
When I just change the order of the SSL options (see Screenshot with diff view) in the restman policy it works because the basic authentication is taken into account and the authentication is successful. But now, perhaps the certificate way works no more (haven't tried it).
Is there another way to make this work without modify the restman policy? Can I force the client to not send the client certificate?
How are you accessing the Restman service? i.e: browser, SOAPUI, etc. The server will request a client cert and typically provide you the option of selecting one.
It seems like your user-agent may be remembering a previous choice to use the certificate. I tested in Firefox and the initial request is prompted to select my client cert, if I cancel this it will then move to the next branch and prompt for basic auth.
However if I selected to use a certificate, some browsers default to remembering this selection and will use it in subsequent requests which results in the failure authenticating against the IIP. You can try clearing the cache and/or using private browsing.
Thanks for your answer. And yeah, you're right. When I call the original restman policy with Chrome, I get the certificate choice, I can then cancel and then I get the basic auth window. When I enter the credentials it works.
However, my client is not a browser but actually a Layer7 gateway. I am calling the restman service of a gateway from another gateway (HTTP Routing Assertion).
The gateway that acts as client sends the certificate with the request (just because it is able to do so) and therefore the basic auth is ignored. Therefore I asked if it is possible to force the client to not send a certificate (HTTP header or something similar).
To ensure that a client certificate is not transmitted, Right click on the HTTP Routing assertion and click on Select Private Key and change the radio button to Use no private key or connect to a port on the gateway not set to optional or required for Client Authentication (Example 9443).
Director, CA Support
Grrrrrrrrrrrrrrrrreat, thank you very much!!! Works perfect.
I absolutely never, ever noticed that setting in its own dialog.
Glad that it worked for you. Have a great evening.