MTLS with reverse proxy server in front of API Gateway
search cancel

MTLS with reverse proxy server in front of API Gateway

book

Article ID: 235369

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

There is a requirement to implement MTLS. However, in this system, an Apache server is in front of API Gateway. How can the API Gateway be configured to receive a client (API consumer) certificate from the Apache reverse proxy server so it (API Gateway) can do client certificate authentication?

Environment

API Gateway 10.0

Resolution

After a successful TLS handshake, the Gateway captures the client certificate from the HTTP request and makes it available via the built-in variable request.ssl.clientcertificate.

There's no way to configure the gateway to retrieve the client certificate by any other means. The best way to achieve this is to configure Apache to attach the base64 encoded client-cert to the request via the headers and use the existing Gateway assertions to extract and validate it. This is something that needs to be configured on Apache. Broadcom Support would not have instructions on how to perform these steps on a 3rd party product.