DataPower

  • 1.  Error message when not presenting client certificate for mTLS

    Posted Fri April 23, 2021 03:52 PM
    Hi,
    We have a service that uses mTLS and requires client authentication.
    It seems to me that when client don't present a client certificate you don't get any http code in return.

    We have this customer that needs to get a 403 (Missing client certificate) in return.
    Is that possible?


    Thanks in advance
    Jocke D

    ------------------------------
    Joacim Dahlblom
    ------------------------------


  • 2.  RE: Error message when not presenting client certificate for mTLS

    Posted Mon April 26, 2021 07:17 AM
    Hi,

    you can try the following:

    In TLS Server Profile set "Request client authentication" = "on", "Require client authentication" = "off" and "Validate client certificate" = "off".
    Then drag an AAA action to processing policy flow and set authentication to "Validate TLS certificate from connection peer" and select the correct validation credential config from the drop-down menu. Now you should be able to catch the certificate errors using error rule and create a custom error response back to the consumers.

    ------------------------------
    Hermanni Pernaa
    ------------------------------



  • 3.  RE: Error message when not presenting client certificate for mTLS

    Posted Mon April 26, 2021 10:22 AM
    What Hermanni recommended above is the way to go if you want to return an error at the application layer. TLS handshake happens at a lower layer of the OSI model which is why you don't see any HTTP error code when you just do it using FSH/TLS objects configuration.

    ------------------------------
    Bruno Rodrigues Neves
    Integration Specialist
    IBM
    ------------------------------



  • 4.  RE: Error message when not presenting client certificate for mTLS

    Posted Tue April 27, 2021 12:46 AM

    Thanks Hemanni!

    That will solve my problem.

    /Jocke D



    ------------------------------
    Joacim Dahlblom
    ------------------------------