IS Client Certificated based authentication differing between 9.5 and 9.12?

Hi,

in my project we have the requirement to perform client certificate based authentication instead of user/password based (our current default).

Therefore we have created an additional port in IS which is set to “Request Client Certificates” and the listener credentials point to the specific certificate of the partner. Additionally we have mapped this certificate to the appropriate interface user and have assigned the service via the ACL to the port as this port should only serve this particular service despite some defaults from the “Deny+” set.

In 9.5 this was working fine, but now we are migrating to 9.12 and are currently testing the first involvement which we have only developed for 9.12. Now the partner is no longer able to invoke this WebService on 9.12.
In Server-Log we are seeing an "No Permission for User “local/Default)” as error message.
The custom name part of the certificate consists of our alias name for this instance (both IS are running on the same physical box, but are listening on different alias names and different ports.)
The ACL is working as another partner, which invokes the same WS via User/Password on a different port is able to connect successfully.

I have cross checked the configuration releated to this interface between both instances several times, but could not find any differences.

9.5 instance is listening on abn-is.domain.com:20974
9.12 instance is listening abn-is912.domain.com:10974
Certificate was issued for abn-is.domain.com, but IS configured in both instances to be presented to partner upon connect.

When we connect to the partner system, this is working as we are using the same source IP in this case (due to being the same box).

Any Ideas, what is going wrong or where I did miss a setting?

Regards,
Holger

Hi Holger,

Can you try enabling SSL logging level(ISAdmin—>Settings—>Logging) of the affected 9.12 instance and share the logs while partner hits the new https port.
The CN name of the cert for 9.5 and 9.12 are different so that can be another aspect to check. Also since the mode of ssl is ‘Request Client Certificate’ , this flow can work with 1 way ssl and client cert validation is optional at IS. To enforce client certificate validation as a mandatory step , try enabling ‘Require Client Certificate’. i believe you already have mapped the client cert on the ISAdmin so that is sorted.

-MayankTripathi

Hi,

just a small update:
We worked around this issue by additionally mapping the client certificates in MWS as well as the user is stored in internal MWS user repository and visible to IS via Central User Management.

We are still investigating why IS is not able to detect the local IS configuration for the client certificates falling back to the MWS based config.

Additionally we have another instance where this is working, but in this case the certificates was issued by another (external) CA. Additionally this partner is not hitting our IS directly but through External Gateway and the “Request Client Certificate” is only configured for the ports involved in this External Gateway config.

Regards,
Holger

Hi Holger,

Good to know that you have a workaround so no hard blockers.
Will suggest to apply latest core fix for 9.12 and retest. Perhaps if that also doesnt work then an incident with SAG can be opened.

-M