How to Secure REST APIs with Client Certificates on IBM Cloud

1 min read

In four easy steps, I'll show you how to secure REST APIs hosted on IBM API Connect with Client Certificates.

IBM API Connect supports several options to protect REST APIs and those options are well documented in the IBM Knowledge Center. However, some users prefer to see a simple example, especially when they are looking for a way to protect their REST APIs with Client Certificates. This post will outline how to secure your REST APIs hosted on IBM API Connect with Client Certificates.

Step 1: Configure on API Manager

First, open your API Manager user interface from your IBM Cloud console and then navigate to Draft > APIs.

First, open your API Manager user interface from your IBM Cloud console and then navigate to Draft > APIs.

Open the API you would like to configure, then enable the Authenticate application setting in the Lifecycle section. Please make sure you publish the product after saving. 

Open the API you would like to configure, then enable the Authenticate application setting in the Lifecycle section. Please make sure you publish the product after saving. 

Step 2: Create Client Certificates

Next, create your own Client Certificates to use.

For example:

$ openssl genrsa -out client.key 1024
$ openssl req -new -key client.key -out client.csr
$ openssl x509 -in client.csr -out client.crt -req -signkey client.key -days 365

Step 3: Configure on Developer Portal 

Visit your Developer Portal, then create a new App and paste the contents of the client certificates you created in the Step 2. Please note you need to include -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----

Visit your Developer Portal, then create a new App and paste the contents of the client certificates you created in the Step 2. Please note you need to include -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----. 

Step 4: Test it! 

You can now call the API by specifying the client certificate as X-Client-Certificate header.

Here is a curl example:

$ curl --request GET \
--url ';https://api.au-syd.apiconnect.appdomain.cloud/kohsawa-dev/sb/current?zipcode=REPLACE_THIS_VALUE'; \
--header ';accept: application/json'; \
--header ';x-ibm-client-id: YOUR_CLIENT_ID'; \
--header ';x-ibm-client-secret: YOUR_CLIENT_SECRET'; \
--header ';X-Client-Certificate: YOUR_CLIENT_CERTIFICATE';

Please note you need to eliminate CRLF from the client certificate. The client certificate must be the same one you put into the App on Developer Portal.

Summary

There are some other options to secure your APIs, such as OAuth or Mutual TLS, and the option you choose depends on your requirements. I hope you find this post useful for when you use Client Certificates with IBM API Connect.

Be the first to hear about news, product updates, and innovation from IBM Cloud