I've been trying to hit IBM datapower (Multi protocol Gateway) via ALB/NLB (nothing has been working).
App (IBM DP MPG) verifies that all connections are TLS and expects requests to contain certs of specific root CAs
I've been able to hit the instance via curl using --cert and --key and I get a 200 OK, whereas when I use NLB or ALB (HTTPS), I see "TLS peer did not send a certificate during handshake"
Access logs of ALB only show GET <url>:port/path as call being made which makes me wonder if ALB even forwards the certificate to instance.
NLB doesn't even have access logs but app logs show same thing : "TLS peer did not send a certificate during handshake"
ELB should have been forwarding the complete packet to instance
The thing serving the SSL certificate (the thing making the handshake with the client that is sending the client certificate) is the only thing that ever has access to the client certificate. The client certificate is never "passed down" to anything else.
An ALB will never send a client cert down to the target server. An NLB configured to serve an SSL certificate, will not pass down a client cert to the target server. Only an NLB configured in TCP passthrough mode will send the client certificate down, because an NLB in TCP passthrough mode is not serving up an SSL certificate, it is just handing off the raw TCP connection to the server, and the server is doing the actual TLS handshake.