Using this topic, you can configure application authentication for an API.
About this task
Remember: Sending the client certificate in an HTTP header does not enable cryptographic
verification that the caller possesses corresponding to the private key. The only validation
performed is a string comparison of the base64-encoded PEM file with the public certificate that you
can configure following the steps below.
You can complete this task either by using the API Designer UI application, or by using the
browser-based API
Manager UI.
At any time, you can switch directly to the underlying OpenAPI YAML
source by clicking the Source icon .
To return to the design form, click the Form icon .
Procedure
- Open the API for editing, as described in Editing an OpenAPI 2.0 API
definition.
- Enable application authentication, as follows:
Note: To identify the application, you must enable a security requirement of type
clientID
.
- On the API Design page, select the Gateway tab and expand
Gateway and portal settings.
- In the navigation pane, click Application
Authentication.
- You can select whether a client certificate is sent as a TLS client certificate or in an
HTTP header. Specify how the client certificate is sent to the gateway, as follows:
You can choose to send the client certificate as a TLS client certificate, or to include it in
the API's HTTP header.
- In the navigation pane, click Application
Authentication.
Any existing application authentication source definitions
are listed.
- On the Application Authentication page, select
Certificate.
- In the Application pane, click Application
authentication source.
- On the Application authentication source page, click
Add.
- In the Add shema dialog box, select .
- tls-cert - When the API is called, the TLS client certificate is sent to
the Gateway service and is used to verify that the API caller holds the corresponding private
key.
- header - When the API is called, an X509 client certificate must be
supplied in the specified HTTP header. For any Developer Portal
application that calls the API, the certificate must be entered in the Developer Portal user
interface; for details, see Registering an application. If you are using a load balancer, you must
configure the load balancer to use the specified HTTP header to relay the appropriate
client certificate to the Gateway service after the load balancer terminates the TLS
communication.
Attention: Sending the client certificate in an HTTP header does not allow for
cryptographic verification that the caller holds the corresponding private key. The only validation
performed is a string comparison of the base64-encoded PEM file against the client
certificate.
- Click Add.
-
Click Save to save your changes.