in my project we have the requirement to perform client certificate based authentication instead of user/password based (our current default).
Therefore we have created an additional port in IS which is set to “Request Client Certificates” and the listener credentials point to the specific certificate of the partner. Additionally we have mapped this certificate to the appropriate interface user and have assigned the service via the ACL to the port as this port should only serve this particular service despite some defaults from the “Deny+” set.
In 9.5 this was working fine, but now we are migrating to 9.12 and are currently testing the first involvement which we have only developed for 9.12. Now the partner is no longer able to invoke this WebService on 9.12.
In Server-Log we are seeing an "No Permission for User “local/Default)” as error message.
The custom name part of the certificate consists of our alias name for this instance (both IS are running on the same physical box, but are listening on different alias names and different ports.)
The ACL is working as another partner, which invokes the same WS via User/Password on a different port is able to connect successfully.
I have cross checked the configuration releated to this interface between both instances several times, but could not find any differences.
9.5 instance is listening on abn-is.domain.com:20974
9.12 instance is listening abn-is912.domain.com:10974
Certificate was issued for abn-is.domain.com, but IS configured in both instances to be presented to partner upon connect.
When we connect to the partner system, this is working as we are using the same source IP in this case (due to being the same box).
Any Ideas, what is going wrong or where I did miss a setting?