Thank to all for your answers!!
We can consider the calls trusted between mobile client --> api gw --> end point web application (which in this scenario will validate the certificate)
@Chris, yes right flow, now i implemented a rest api /ctpush that after some client check, catch the header and
base encoded it's value.
I have insert a simple string inside header with SOAP UI client (the request) and it works responding the string encoded as show in image
Response
The soap client UI "has clothes" of the mobile client in the flow.
The web application endpoint api still missing but i would try to test if the certificate is correctly respond back
Now i'm trying to add a header in soap ui with a certificate file (instead of a string) but seems is not possible.
I'm searching how to pass an
X509Certificate object in a valid header... I don't know how and hope make sense.
@Philippe Brand: really appreciate your help
@Zhijun He: Seems that the web application backend would validate the certificate coming from mobile clients.
Fabio
Original Message:
Sent: 07-23-2019 07:25 PM
From: Zhijun He
Subject: Client Certificate To Backend Web App Validation
The reason to use client cert from gateway is that, the backend web application only need to trust one client cert, if you forward client cert of mobile client, the web application needs to trust each one of them, it's not really practical unless you only allow limited mobile client.
Original Message:
Sent: 07-23-2019 07:20 PM
From: Zhijun He
Subject: Client Certificate To Backend Web App Validation
If the backend web application doesn't care the mobile client, you don't have to forward client cert, just let web application trust the client cert of gateway default private key. (by default, the Route via HTTP(s) assertion uses gateway default private key to send client cert)
Original Message:
Sent: 07-23-2019 03:58 AM
From: Fabio Dania
Subject: Client Certificate To Backend Web App Validation
Hi All
We have a Ca Api Gateway 9.2 between mobile client and Web Application endpoint.
Is it possible create with policy manager an assertions that only forward the client certificate (which identify mobile client) to Web Application endpoint for its validation?
It's not necessary the mutual authentication between the mobile device and api gateway
Thanks in advance
Fabio