No client certificate presented to the Gateway when using TLS 1.1 or 1.2

Document ID : KB000042881
Last Modified Date : 13/05/2019
Show Technical Document Details
Issue:
  • A request that fails may have some of the following audit or log messages:
com.l7tech.server.MessageProcessor: 3017: Policy evaluation for service myService [dbb2df894b5dbe4313bd5c107abf8e83] resulted in status 401 (Authentication Required)
com.l7tech.server.policy.assertion.credential.http.ServerHttpClientCert: 4100: Authentication required
com.l7tech.server.policy.assertion.credential.http.ServerHttpClientCert: 4113: No Client Certificate was present in the request.
com.l7tech.server.message: Message was not processed: Authentication Required (401)
  • The presentation of these error messages can induce some confusion as the client application may gather a client certificate from the application operator but won't present them to the server application as expected. If a client application operator is certain that credentials are being set but the Gateway is returning the error or audit above then this article should be reviewed and executed as appropriate.
  • Be sure to explore the Additional Information section for more context on this behaviour.

 

Resolution:
  • The primary resolution for this issue will be to add the certificate authority responsible for issuing a particular client certificate to the Gateway's certificate trust store.
  1. Log in to the Policy Manager as an administrative user.
  2. Select Manage Certificates from the Tasks menu.
  3. Select the desired CA certificate.
  4. Click the Properties button.
  5. Navigate to the Options tab.
User-added image
  1. Check the box for Signing Client Certificates
  2. Click the Save box to store the new options

User-added image

  • The Gateway will now include this certificate in the list of acceptable CA certificates when a client application attempts to connect to the Gateway over an SSL/TLS-enabled port using TLSv1.1 or TLSv1.2
Additional Information:
  • The Gateway has supported versions 1.1 and 1.2 of the Transport Layer Security specification for some time. Those specifications require that a server application presents a list of acceptable client certificate authorities that the server application considers acceptable issuers. A client application may opt not to transmit a client certificate in some circumstances. This typically happens with contemporary Internet browsers. Such behaviors can cause a problem with a service policy that requires client certificate authentication. A client application that does not transmit client certificates to the Gateway will be unable to authenticate against a service policy that requires said certificate.
  • The Gateway compiles a list of acceptable client certificate authorities using the Manage Certificates trust store. Certificates in this trust store will be added to the acceptable client certificate authority list when they have the Sign Client Certificates option enabled. This article will prescribe the steps for adding an entity to the acceptable certificate authority list.