Configuring application authentication for an API

Application authentication settings allow you to protect your API with a certificate, for example, by using TLS mutual authentication. You can select whether a client certificate is sent as a TLS client certificate or in an HTTP header.

About this task

Note: This task relates to configuring an OpenAPI 3.0 API definition. For details on how to configure an OpenAPI 2.0 API definition, see Editing an OpenAPI 2.0 API definition.

You can complete this task either by using the API Designer UI application, or by using the browser-based API Manager UI.

At any time, you can switch directly to the underlying OpenAPI YAML source by clicking the Source icon OpenAPI Source icon. To return to the design form, click the Form icon Form icon.

Procedure

  1. Open the API for editing, as described in Editing an OpenAPI 3.0 API definition.
  2. Enable application authentication, as follows:
    Note: To identify the application, you must enable a security requirement of type clientID.
    1. Select the Gateway tab, expand Gateway and portal settings, then click Application Authentication.
    2. Select Certificate.
  3. Specify how the client certificate is sent to the gateway, as follows:
    1. In the navigation pane, click Application Authentication Source.
      Any existing application authentication source definitions are listed.
    2. Alongside Application Authentication Source, click Add.
    3. Select the required option, header or tls-cert.
      You can separately add one or both of the options.

      When the API is called, an X509 client certificate must be supplied, either in the specified HTTP header, or as a TLS client certificate from TLS mutual authentication. For any Developer Portal application that calls the API, the certificate must be entered in the Developer Portal user interface; for details, see Registering an application.

      The Gateway service to which the API is published can be configured to use TLS mutual authentication to secure API calls made to that Gateway service; for details, see Configuring the initial Gateway service. If you select this option, continue to sub-step d.

      If you are using a load balancer, you must configure the load balancer to use the specified HTTP header to relay the appropriate client certificate to the Gateway service after the load balancer terminates the TLS communication.

    4. If you select the tls-cert option, enable mTLS at the Gateway level.

      Enable mTLS by setting "Mutual authentication: Required" (or "Requested" if not all APIs use mTLS) in the TLS Server Profile that is specified for the API invocation endpoint in your gateway service configuration. The gateway service is configured in the Cloud Manager UI (requires cloud administrator permissions). For more information, see Registering a gateway service and TLS profiles overview.

      You can create a truststore (with the root or intermediate CA certificate) for use with the TLS Server Profile.

      The following example cURL command uses a client-cert during SSL:

      **curl -X GET 'https://GW-Server:9443/test/sandbox/mtls-testing/callmtls-call' -H 'X-IBM-Client-Id: 1872xxxxxxxxxxxxx' --cert my-leaf-cert.pem --key my-leaf-cert.key -k -v**
      Note: This feature is intended for the scenario where different applications are registered with different end certificates in the Developer Portal, which have the same intermediate or root CA issuer. The certificate passes Gateway-level mTLS if it matches the issuer available in the truststore, but allows access only to the API that matches the correct end certificate.
  4. Click Create.
  5. Click Save to save your changes.