Configure Certificate Authentication for Client API Connections

The API connection certificate authentication feature allows clients to connect to a Connect:Direct server by using only an SSL Certificate with the Common Name (CN) specified as a user name.

If the intended client usage does not include submitting processes, then the user name does not have to be a real UNIX system user name and only needs to be defined in the Connect:Direct UNIX user authorization file. If process submission is intended, then the user specified in the CN must be a real UNIX system user. You can configure this feature in the user authorization information file of a Connect:Direct node. The API certificate authentication requires no user password to be presented.

This feature improves password management in large deployments of Connect:Direct®, as it removes the extra administrative steps that result from password usage.

This feature is specific only to AIJ based API connections. When you use the authentication feature, ensure that the version of the AIJ is at least 1.1.00 Fix 000025. API connection certificate authentication is not supported by Windows SDK clients including Direct.exe CLI and Connect:Direct Requester.

Configuring API certificate authentication

Client Authentication must be enabled on the Connect:Direct Secure Plus. Client record. Client authentication is not enabled by default in Connect:Direct Secure Plus. During an API connection, a peer certificate is required from Control Center or the AIJ client. That certificate must contain a common name field of an SSL certificate whose contents match a Connect:Direct local user record in the Connect:Direct node. You also must use a blank password in order for Connect:Direct to trigger the API certificate authentication process.

Note: Although it is possible for a Connect:Direct Administrator to create a user name for an API program that does not submit processes, identity management is simplified by using a standard identity supported by an internal Certificate Authority. For example, if the API program runs on UNIX and the internal CA issues certificates for UNIX system users, the user name (and certificate Common Name) could be the UNIX system user name under which the API program runs. Or, if the internal CA issues certificates for systems, the user name (and certificate Common Name) could be the DNS name of the API program's host system.

A new functional authorities configuration parameter known as client.cert_auth is added to Connect:Direct for UNIX. The parameter specifies whether a specific user can log in as a client via API certificate authentication, and it must be set to Yes when you configure API certificate authentication.