The gateway supports client cert authentication, doesn't need anything else, but we need to setup few things,
1. the client should have a private key for client cert authentication, otherwise we can create a new private key on policy manager, and send it to client
2. the paired certificate needs to import into gateway on Manage Certificates, and associated to a user, assume that the user is in internal identity provider,
- on Manage Certificates, import the certificate
- create an internal user with username same as the CN of the certificate -
open the properties screen of the user, import the certificate
3. configure listen port to "Optional" or "Required" client authentication
Task -> Manage Listen Ports -> double click on the port for https connection, click on "SSL/TLS Settings" tab -> ensure the "Client Authentication" is "Optional", or "Required"
(by default the port 9443 is set to "None" for client authentication, so it cannot be used for client authentication)
4. The api policy should contain following assertions for client certificate authentication:
1) Require SSL or TLS Transport with Client Certificate Authentication
2) Request: Authenticate User: <internal user name> from [Internal Identity Provider]
There should be another way to use Federated Identity Provider, we don't need to create user, but import the cert into FIP, and authenticate against FIP. But I don't have a chance to test/implement this solution yet.
Regards,
Mark
Original Message:
Sent: 12-04-2020 08:57 AM
From: Sanjeev Yadav
Subject: How two implement mutual authentication between Client application & CA Gateway instead of OAuth
How two implement mutual authentication between Client application & CA Gateway instead of OAuth?
Please provide in Details, 1)what I have to implement in CA API Gateway side 2) From Client application what details are required
Kindly give me in details
Regards,
Sanjeev