Hi,
We have a service that uses mTLS and requires client authentication.
It seems to me that when client don't present a client certificate you don't get any http code in return.

We have this customer that needs to get a 403 (Missing client certificate) in return.
Is that possible?


Thanks in advance
Jocke D

------------------------------
Joacim Dahlblom
------------------------------

Hi,

you can try the following:

In TLS Server Profile set "Request client authentication" = "on", "Require client authentication" = "off" and "Validate client certificate" = "off".
Then drag an AAA action to processing policy flow and set authentication to "Validate TLS certificate from connection peer" and select the correct validation credential config from the drop-down menu. Now you should be able to catch the certificate errors using error rule and create a custom error response back to the consumers.

------------------------------
Hermanni Pernaa
------------------------------

Original Message:
Sent: Fri April 23, 2021 05:57 AM
From: Joacim Dahlblom
Subject: Error message when not presenting client certificate for mTLS

Hi,
We have a service that uses mTLS and requires client authentication.
It seems to me that when client don't present a client certificate you don't get any http code in return.

We have this customer that needs to get a 403 (Missing client certificate) in return.
Is that possible?


Thanks in advance
Jocke D

------------------------------
Joacim Dahlblom
------------------------------

What Hermanni recommended above is the way to go if you want to return an error at the application layer. TLS handshake happens at a lower layer of the OSI model which is why you don't see any HTTP error code when you just do it using FSH/TLS objects configuration.

------------------------------
Bruno Rodrigues Neves
Integration Specialist
IBM
------------------------------

Original Message:
Sent: Mon April 26, 2021 07:17 AM
From: Hermanni Pernaa
Subject: Error message when not presenting client certificate for mTLS

Hi,

you can try the following:

In TLS Server Profile set "Request client authentication" = "on", "Require client authentication" = "off" and "Validate client certificate" = "off".
Then drag an AAA action to processing policy flow and set authentication to "Validate TLS certificate from connection peer" and select the correct validation credential config from the drop-down menu. Now you should be able to catch the certificate errors using error rule and create a custom error response back to the consumers.

------------------------------
Hermanni Pernaa

Original Message:
Sent: Fri April 23, 2021 05:57 AM
From: Joacim Dahlblom
Subject: Error message when not presenting client certificate for mTLS

Hi,
We have a service that uses mTLS and requires client authentication.
It seems to me that when client don't present a client certificate you don't get any http code in return.

We have this customer that needs to get a 403 (Missing client certificate) in return.
Is that possible?


Thanks in advance
Jocke D

------------------------------
Joacim Dahlblom
------------------------------

Thanks Hemanni!

That will solve my problem.

/Jocke D

------------------------------
Joacim Dahlblom
------------------------------

Original Message:
Sent: Mon April 26, 2021 07:17 AM
From: Hermanni Pernaa
Subject: Error message when not presenting client certificate for mTLS

Hi,

you can try the following:

In TLS Server Profile set "Request client authentication" = "on", "Require client authentication" = "off" and "Validate client certificate" = "off".
Then drag an AAA action to processing policy flow and set authentication to "Validate TLS certificate from connection peer" and select the correct validation credential config from the drop-down menu. Now you should be able to catch the certificate errors using error rule and create a custom error response back to the consumers.

------------------------------
Hermanni Pernaa

Original Message:
Sent: Fri April 23, 2021 05:57 AM
From: Joacim Dahlblom
Subject: Error message when not presenting client certificate for mTLS

Hi,
We have a service that uses mTLS and requires client authentication.
It seems to me that when client don't present a client certificate you don't get any http code in return.

We have this customer that needs to get a 403 (Missing client certificate) in return.
Is that possible?


Thanks in advance
Jocke D

------------------------------
Joacim Dahlblom
------------------------------