Well known endpoint Android certificate

book

Article ID: 186139

calendar_today

Updated On:

Products

CA API Gateway API SECURITY CA API Gateway Precision API Monitoring Module for API Gateway (Layer 7) CA API Gateway Enterprise Service Manager (Layer 7) STARTER PACK-7 CA Microgateway

Issue/Introduction

When the users call the well-known endpoint from an Android phone, a system popup appears asking for a client certificate. The endpoint is executed correctly if we accept and even if we reject adding the certificate.  These endpoints have mutual TLS disabled in the first place so it's strange that we are seeing this popup.
The problem only appears on Android. It works correctly with iOS and PC platforms.

Environment

Release : 9.2

Component : API GTW ENTERPRISE MANAGER

Resolution

This issue is very much not related to Mobile SDK but has to be attributed to the TLS settings on the Gateway or the Load Balancer.
It seems the apis.xx,co.uk is hostname of the Load Balancer which listens on port 443, and further redirects to internal Gateway (or may be this an actual Gateway node listening on port 443).

The behavior you see is caused when Client Authentication is Optional for a port, due to which server challenges the client to present a client certificate. Since it is optional, if the client declines, still the request goes ahead. 
In the latest chrome browser on Android 10 , it seems if the client TLS is optional, it goes ahead without showing the popup (what we observed in our Pixel device). I tried accessing the same on a Mi phone with Android 9, and the popup reappears.

So the gist is that, you need to disable the client authentication for the port on GW or on LB.

The problem comes from the configuration of ports in the API Gateway, that was requesting certificate even if the API doesn't have the policies applied.

Attachments