webMethods.io API - Identify & Authorize Application using SSL Certificate

Dear All,

We have a requirement identify client Application using SSL Certificate.

The REST API is created, “Identify & Authorize Application” is configured as follows:

• Condition: OR

• Allow anonymous: false

• Identification Type: API Key
• Application Lookup Condition: Registered applications

• Identification Type: SSL Certificate
• Application Lookup Condition: Registered applications

The REST API is consumed using an Application and below are the Application properties
• Identifiers: Client certificates (attached the client certificate (.cer format))
• API access key

I generated keypair using java keytool and exported the public certificate and used that certificate to test this feature.

{“Exception”:“API Gateway encountered an error. Error Message: Unauthorized application request. Request Details: Service - CruiseOperations, Operation - /<operation_name>, User - Default and Application:sys:defaultApplication”}

Here the exception is indicating that application identification is not happening properly.

I see a similar post but it talks about 2-way SSL where in my use case i just want to identify the application using x509 certificate passed as part of request.

I am using postman to hit the end-point using https endpoint and below are the logs from postman:

GET https://ctscloud.gateway.webmethodscloud.com/gateway/CruiseOperations/1.0/cruises

Client Certificate
cert: {…}
src: “C:\Users\Documents\temp\auth-service-pub-cert.crt”
id: “68ca3bdd-6987-4eef-bd09-829b65ffa52c”
key: {…}
src: “”
matches: [1]
0: {…}
pattern: “https://ctscloud.gateway.webmethodscloud.com/*
passphrase: “”
pfx: {…}
src: “”
Network
addresses: {…}
tls: {…}
Request Headers
x-app-name: CruiseOperation
User-Agent: PostmanRuntime/7.26.1
Accept: /
Cache-Control: no-cache
Postman-Token: 725cfaea-9b8b-4648-a0d9-b63bd1707b16
Host: ctscloud.gateway.webmethodscloud.com
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Response Headers
Server: APICLOUD
Date: Wed, 24 Jun 2020 06:41:04 GMT
Content-Type: application/json
Content-Length: 230
Connection: keep-alive
WWW-Authenticate: APIKey Realm = ‘APIGateway’,Transport mode=‘tls-client-certificate’
Content-Encoding: gzip
Response Body
{“Exception”:“API Gateway encountered an error. Error Message: Unauthorized application request. Request Details: Service - CruiseOperations, Operation - /cruises, Invocation Time:6:41:04 AM, Date:Jun 24, 2020, Client IP - , User - Default and Application:sys:defaultApplication”}

Would you mind confirming the outbound routing (under policies ) is set to authorized user in the back-end.