Mutual SSL between CA API Developer Portal and CA API Gateway

Document ID : KB000093486
Last Modified Date : 03/05/2018
Show Technical Document Details
Issue:
I am trying to setup Mutual SSL communication between Portal and Gateway communication. I have done all the necessary thing that are suggested in the documentation. However I couldn't achieve what I want. For some reason portal service calls from API Portal to Gateway is going with Basic auth rather than certificate based.

The ssg log shows
 
  • 2018-04-25T06:20:08.398+0100 INFO 838 com.l7tech.server.policy.assertion.ServerSslAssertion: 4113: No Client Certificate was present in the request
However what we expect is 
  • 2018-04-30T10:49:33.749+0100 INFO 3346 com.l7tech.server.policy.assertion.ServerSslAssertion: 4114: Found client certificate for CN=xxxx-yyyy.domain.com(portal_hostname)
Also in audits you will see Auth Method : HTTP Basic in comparision to HTTPS Client Cert.
 
Environment:
Portal 3.5
Gateway 9.2
Cause:
For SSL authentication to function properly between the Portal and Gateway, the protocols TLS 1.1 and TLS 1.2 cannot be enabled on the Gateway for the port being use.

We recommend that you create another 'Listen Port' purely for the Portal to use which does not have TLS 1.1 or 1.2 enabled and requires client authentication.
Resolution:
Login to policy manager using port other than which is being changed. To login use <hostname>:<port>

1.  Edit the port which is used for portal gateway communication to disable TLS 1.1 and TLS 1.2
or
2. Create another port  for the Portal to use which does not have TLS 1.1 and  1.2
For that.

a) Clone the portal which you were using before (example 8443). This can be done from Task--> Manager Listen Ports----> 8443 -->clone  
b) Select the new port properties.
c) Then disable TLS 1.1/1.2 from SSL/TLS Settings.

b) Client authentication required. 
d) Save

SSH to  portal server


a) go to lrsgateway-conf.xml at 
/opt/Deployments/lrs/server/webapps/ROOT/plugins 

b) and change 

<Property name="GATEWAY_HOST">https://<gateway_host>:<to new port></Property> 
c) service apiportal restart 
https://docops.ca.com/ca-api-developer-portal/3-5/en/set-up-the-api-portal/apiportal-service

Login to policy manager and check portalman service from ssg logs or Audit events. 
The logs should show 
4114: Found client certificate for CN=<portal_hostname>

Login to http://<portal_hostname>/admin?action=PLUGIN-lrsgateway
Sync API Plans
Sync Account Plans