Layer7 API Management

Scenario : I need to use client-certificate authentication to access API gateway which is placed behind Load balancer. Currently load balancer is configured to save the received client certificate in a custom header and forwards the client request to API gateway with certificate in its header. On API gateway I can extract client certificate from header and save as string context variable named clientCertificate. I have tried to use assertion Validate Certificate but i always received error "No certificate found for variable : clientCertificate".

For testing with POSTMAN I created self-signed certificate with openssl and saved it in Trusted Certificates on API gateway and marked as "Certificate is a Trust Anchor". I also created in Internal Identity Provider a user with the same name as CN in client-certificate and added client certificate. Client-certificate was inserted into header with load balancer without problems, I have tried to decode extracted certificate from header in online certificate decoder and decoding showed no error. Any idea how can I validate client certificate delivered to API gateway in a request custom header?

Good evening,

Please review the following post as I believe this is what you are looking for: Instantiating a certificate object (without having cert from authN; without having cert in trust store) 

Sincerely,

Stephen Hughes

Broadcom Support

Thank Stephen, your solution really helped. Anyway I have one more question. I would like to use Basic Authentication and also Client-certificate. So firstly I would like to check if credentials in basic authentication are OK and then if client certificate matches the one in internal identity provider. When I tried it, it seems that once basic authentication credentials are valid, client-certificate is not verified ( also for opposite order ). I swapped certificate for other certificate for my client account and it showed no error.

I assume that after basic authentication credentials are verified, request should be somehow "unauthorize" - probably by setting some context variable to NULL or similar way. Then I would use your solution to verify, if for user in CN also certificate matches with one on identity store. It may seem a bit like doubled check ( credentials + client certificate), but our  requirement was exactly like that. Thank you.

Good afternoon,

I'm glad the solution helped. As for the other question, the gateway by default will collect and validate the first set of credentials against the identity provider. You need to add an additional identity provider assertion and turn on identity tagging. Identity Tags - CA API Gateway - 9.3 - CA Technologies Documentation 

Sincerely,

Stephen Hughes

Broadcom Support

Thank you for you hint, I only added those identity tags and it seems to be working independently.

Sincerely,

Robert Lipa

Hi R.Lipa,

We have a usecase, in which we have to forward client_certificate to Gateway. 

Found this post interesting, can you please highlight here, which load balancer (e.g. we have AWS ELB) are you using and how did you configure it to extract and forward the request client certificate to Gateway in a custom header.

Thanks in advance.

Regards,

Shobhit Saxena 

Hello Saxena,

setting up of load balancer was done by our LB team, so I don't know the details. As far as I know we are using BIG-IP F5 load balancer and it uses some script which inserts client certificate into custom HTTP header. I am not sure if this info helps.

Regards

Lipa Robert

Thanks for the quick response.

We can look for some similar solution in our ELB. 

Regards,

Shobhit Saxena