- I am trying to setup Mutual SSL communication between Portal and Gateway. I have done all the necessary thing that are suggested in the documentation. However, I couldn't achieve what I want. For some reason, the Portal service calls from API Portal to Gateway is going with Basic authentication rather than certificate based authentication.
- The SSG log shows the following: 2018-04-25T06:20:08.398+0100 INFO 838 com.l7tech.server.policy.assertion.ServerSslAssertion: 4113: No Client Certificate was present in the request
- However what we expect is the following: 2018-04-30T10:49:33.749+0100 INFO 3346 com.l7tech.server.policy.assertion.ServerSslAssertion: 4114: Found client certificate for CN=xxxx-yyyy.domain.com(portal_hostname)
- Additionally, in the audits I see it using "HTTP Basic" authentication rather than "HTTPS Client Certificate"
- For SSL authentication to function properly between the Portal and Gateway, the protocols TLS 1.1 and TLS 1.2 cannot be enabled on the Gateway for the port being used.
- We recommend that you create another 'Listen Port' purely for the Portal to use which does not have TLS 1.1 or 1.2 enabled and requires client authentication.
- Login to Policy Manager using port other than which is being changed. To login like that, use <hostname>:<port> in the Policy Manager Connection window.
- Edit the port which is used for portal gateway communication to disable TLS 1.1 and TLS 1.2, or...
- Create another port for the Portal to use which does not have TLS 1.1 and 1.2
- Clone the portal which you were using before (example 8443). This can be done from Task--> Manager Listen Ports----> 8443 -->clone
- Select the new port properties.
- Then disable TLS 1.1/1.2 from SSL/TLS Settings.
- Client authentication required.
- SSH to Portal server
- Edit lrsgateway-conf.xml at /opt/Deployments/lrs/server/webapps/ROOT/plugins
- Change <Property name="GATEWAY_HOST">https://<gateway_host>:<port></Property> to have the updated port number.
- Run the following command: service apiportal restart
- Login to Policy Manager and check portalman service from SSG logs or Audit events.
- The logs should show the following: 4114: Found client certificate for CN=<portal_hostname>
- Login to http://<portal_hostname>/admin?action=PLUGIN-lrsgateway and click on the buttons named as below:
- Sync API Plans
- Sync Account Plans