"No Client Certificate was present" Error When Using Mutual SSL between CA API Developer Portal and CA API Gateway

Document ID : KB000093486
Last Modified Date : 01/06/2018
Show Technical Document Details
Issue:
  • I am trying to setup Mutual SSL communication between Portal and Gateway. I have done all the necessary thing that are suggested in the documentation. However, I couldn't achieve what I want. For some reason, the Portal service calls from API Portal to Gateway is going with Basic authentication rather than certificate based authentication.
  • The SSG log shows the following: 2018-04-25T06:20:08.398+0100 INFO 838 com.l7tech.server.policy.assertion.ServerSslAssertion: 4113: No Client Certificate was present in the request
  • However what we expect is the following: 2018-04-30T10:49:33.749+0100 INFO 3346 com.l7tech.server.policy.assertion.ServerSslAssertion: 4114: Found client certificate for CN=xxxx-yyyy.domain.com(portal_hostname)
  • Additionally, in the audits I see it using "HTTP Basic" authentication rather than "HTTPS Client Certificate"
Environment:
  • Portal 3.5 & Gateway 9.x
Cause:
  • For SSL authentication to function properly between the Portal and Gateway, the protocols TLS 1.1 and TLS 1.2 cannot be enabled on the Gateway for the port being used.
Resolution:
  • We recommend that you create another 'Listen Port' purely for the Portal to use which does not have TLS 1.1 or 1.2 enabled and requires client authentication.
  1. Login to Policy Manager using port other than which is being changed. To login like that, use <hostname>:<port> in the Policy Manager Connection window.
  2. Edit the port which is used for portal gateway communication to disable TLS 1.1 and TLS 1.2, or...
  3. Create another port for the Portal to use which does not have TLS 1.1 and  1.2
    1. Clone the portal which you were using before (example 8443). This can be done from Task--> Manager Listen Ports----> 8443 -->clone  
    2. Select the new port properties.
    3. Then disable TLS 1.1/1.2 from SSL/TLS Settings.
    4. Client authentication required. 
    5. Save.
  4. SSH to Portal server
    1. Edit lrsgateway-conf.xml at /opt/Deployments/lrs/server/webapps/ROOT/plugins
    2. Change <Property name="GATEWAY_HOST">https://<gateway_host>:<port></Property> to have the updated port number.
    3. Run the following command: service apiportal restart
  5. Login to Policy Manager and check portalman service from SSG logs or Audit events.
  6. The logs should show the following: 4114: Found client certificate for CN=<portal_hostname>
  7. Login to http://<portal_hostname>/admin?action=PLUGIN-lrsgateway and click on the buttons named as below:
    1. Sync API Plans
    2. Sync Account Plans
Additional Information: