February 6, 2020 By Kohji Ohsawa 2 min read

In four easy steps, I’ll show you how to secure REST APIs hosted on IBM API Connect with Client Certificates.

IBM API Connect supports several options to protect REST APIs and those options are well documented in the IBM Knowledge Center. However, some users prefer to see a simple example, especially when they are looking for a way to protect their REST APIs with Client Certificates. This post will outline how to secure your REST APIs hosted on IBM API Connect with Client Certificates.

Step 1: Configure on API Manager

First, open your API Manager user interface from your IBM Cloud console and then navigate to Draft > APIs.

Open the API you would like to configure, then enable the Authenticate application setting in the Lifecycle section. Please make sure you publish the product after saving. 

Step 2: Create Client Certificates

Next, create your own Client Certificates to use.

For example:

$ openssl genrsa -out client.key 1024
$ openssl req -new -key client.key -out client.csr
$ openssl x509 -in client.csr -out client.crt -req -signkey client.key -days 365

Step 3: Configure on Developer Portal 

Visit your Developer Portal, then create a new App and paste the contents of the client certificates you created in the Step 2. Please note you need to include -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----

Step 4: Test it! 

You can now call the API by specifying the client certificate as X-Client-Certificate header.

Here is a curl example:

$ curl --request GET \
--url ';https://api.au-syd.apiconnect.appdomain.cloud/kohsawa-dev/sb/current?zipcode=REPLACE_THIS_VALUE'; \
--header ';accept: application/json'; \
--header ';x-ibm-client-id: YOUR_CLIENT_ID'; \
--header ';x-ibm-client-secret: YOUR_CLIENT_SECRET'; \
--header ';X-Client-Certificate: YOUR_CLIENT_CERTIFICATE';

Please note you need to eliminate CRLF from the client certificate. The client certificate must be the same one you put into the App on Developer Portal.


There are some other options to secure your APIs, such as OAuth or Mutual TLS, and the option you choose depends on your requirements. I hope you find this post useful for when you use Client Certificates with IBM API Connect.

Was this article helpful?

More from Cloud

Seven top central processing unit (CPU) use cases

7 min read - The central processing unit (CPU) is the computer’s brain, assigning and processing tasks and managing essential operational functions. Computers have been so seamlessly integrated with modern life that sometimes we’re not even aware of how many CPUs are in use around the world. It’s a staggering amount—so many CPUs that a conclusive figure can only be approximated. How many CPUs are now in use? It’s been estimated that there may be as many as 200 billion CPU cores (or more)…

Prioritizing operational resiliency to reduce downtime in payments

2 min read - The average lost business cost following a data breach was USD 1.3 million in 2023, according to IBM’s Cost of a Data Breach report. With the rapid emergence of real-time payments, any downtime in payments connectivity can be a significant threat. This downtime can harm a business’s reputation, as well as the global financial ecosystem. For this reason, it’s paramount that financial enterprises support their resiliency needs by adopting a robust infrastructure that is integrated across multiple environments, including the…

Agility, flexibility and security: The value of cloud in HPC

3 min read - In today’s competitive business environment, firms are confronted with complex, computational issues that demand swift resolution. Such problems might be too intricate for a single system to handle or might require an extended time to resolve. For companies that need quick answers, every minute counts. Allowing problems to linger for weeks or months is not feasible for businesses determined to stay ahead of the competition. To address these challenges, enterprises across various industries, such as those in the semiconductor, life…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters