Configuring application authentication for an API

Using this topic, you can configure application authentication for an API.

About this task

Remember: Sending the client certificate in an HTTP header does not enable cryptographic verification that the caller possesses corresponding to the private key. The only validation performed is a string comparison of the base64-encoded PEM file with the public certificate that you can configure following the steps below.
Note: This task relates to configuring an OpenAPI 2.0 API definition. For details on how to configure an OpenAPI 3.0 API definition, see Editing an OpenAPI 3.0 API definition.

You can complete this task either by using the API Designer UI application, or by using the browser-based API Manager UI.

At any time, you can switch directly to the underlying OpenAPI YAML source by clicking the Source icon OpenAPI Source icon. To return to the design form, click the Form icon Form icon.

Procedure

  1. Open the API for editing, as described in Editing an OpenAPI 2.0 API definition.
  2. Enable application authentication, as follows:
    Note: To identify the application, you must enable a security requirement of type clientID.
    1. On the API Design page, select the Gateway tab and expand Gateway and portal settings.
    2. In the navigation pane, click Application Authentication.
  3. You can select whether a client certificate is sent as a TLS client certificate or in an HTTP header. Specify how the client certificate is sent to the gateway, as follows:

    You can choose to send the client certificate as a TLS client certificate, or to include it in the API's HTTP header.

    1. In the navigation pane, click Application Authentication.
      Any existing application authentication source definitions are listed.
    2. On the Application Authentication page, select Certificate.
    3. In the Application pane, click Application authentication source.
    4. On the Application authentication source page, click Add.
    5. In the Add shema dialog box, select .
      • tls-cert - When the API is called, the TLS client certificate is sent to the Gateway service and is used to verify that the API caller holds the corresponding private key.
      • header - When the API is called, an X509 client certificate must be supplied in the specified HTTP header. For any Developer Portal application that calls the API, the certificate must be entered in the Developer Portal user interface; for details, see Registering an application. If you are using a load balancer, you must configure the load balancer to use the specified HTTP header to relay the appropriate client certificate to the Gateway service after the load balancer terminates the TLS communication.
      Attention: Sending the client certificate in an HTTP header does not allow for cryptographic verification that the caller holds the corresponding private key. The only validation performed is a string comparison of the base64-encoded PEM file against the client certificate.
  4. Click Add.
  5. Click Save to save your changes.