Configuring Certificate based Authentication

About this task

The following sections list tasks that you need to perform by interface, to enable certificate-based authentication in your Connect:Direct deployment.

Procedure

  1. Configuring REST Client for certificate-based authentication
    1. Import Connect:Direct Web Service's Self signed or CA certificate into REST client's Truststore.
    2. Create/Import REST client's identity certificate that is, Self signed/CA signed certificate into the client's Keystore.
    3. Add the following header parameter when you form a Web Service JSON request with the REST client:
      CertificateAuthentication=true
  2. Configuring Connect:Direct Web Services for certificate-based authentication
    1. Import REST client’s Self signed or CA certificate into Connect:Direct Web Service's Truststore.
    2. Add REST client certificate fingerprint in application.properties file in the following format.

      If the Common Name=myvalidcertificate.com and

      Fingerprint=7F:87:9C:53:4A:EA:89:D6:3F:0D:31:15:12:F4:89:ED:0A:1A:A6:F6: 8B:85:3B:72:FF:2F:44:70:00:59:57:7B

      Then certificate.finger.print value should be:

      certificate.finger.print= myvalidcertificate.com; 7F:87:9C:53:4A:EA:89: D6:3F:0D:31:15:12:F4:89:ED:0A:1A:A6:F6:8B:85:3B:72:FF:2F:44:70:00:59:57:7B
      Note: To obtain fingerprint value issue commands defined below:
      Using OpenSSL
      openssl x509 -noout -fingerprint -sha256 -inform pem -in cert.pem
      (Only SHA-256 is supported)
      Using iKeyMan CLI interface
      keytool -list -keystore <CDWS_Keystore> -storepass <password> -alias <Certificate_alias_name> -v 
      Label: myvalidcertificate
      Key Size: 2048
      Version: X509 V3
      Serial Number: 5D 36 B8 9D
      Issued by: CN=myvalidcertificate.com, O=Orgname, L=locationName, ST=StateName, C=CountryName
      Subject: CN=myvalidcertificate.com, O=Orgname, L=locationName, ST=StateName, C=CountryName
      Valid: From: Tuesday, July 23, 2019 1:04:53 PM IST To: Thursday, July 22, 2021 1:04:53 PM IST
      Fingerprint:
          SHA1: AC:59:F7:0F:AC:EB:B0:1F:43:08:BF:D6:57:1E:4A:7B:60:2C:78:58
          SHA256: D5:6B:45:97:F9:E1:84:5E:B9:D4:2B:99:32:4A:69:8E:12:C1:53:82:BD:7B:F0:E7:ED:F6:8B:5A:
                  29:9C:E2:B6
          HPKP: mzJLrZbXK0B9dZ+BmX+vwCVvl2YTPOnei144ubbAZCQ=
    3. Add/Import Connect:Direct Server's Self signed/CA signed certificate into Connect:Direct Web Service's Truststore. With v6.1, IBM® Connect:Direct® Web Service now extends its web console capabilities to support import and export certificates into an existing Truststore. To use this feature, login as an Admin users and click Certificates> Trust Certificate > Import.
  3. Configure Connect:Direct Server to enable certificate-based authentication. For more information see, Configure Certificate Authentication for Client API Connections.
    Note: Restart Connect:Direct Web Services for changes to take effect.

    Example cURL command format

    Invoke cURL commands in the following format, when using certificate-based authentication method, to sign into Connect:Direct Server:

    Example 1
    curl -s -i -H 'CertificateAuthentication:true' -H 'X-XSRF-TOKEN:Y2hlY2tpdA==' -H
    "Content-Type: application/json" -X POST -d '{"ipAddress":"'<CD_Node_IP>'",
    "protocol":"<TLS1.2|TLS1.1|TLS1.0|SSL>","port":'<Port>'}' 
    --cacert /home/user/cdws_cert/ibmcdws.pem --cert ./cert.pem --key key.pem  
    https://<CDWS_HOSTNAME>:<CDWS_Port>/cdwebconsole/svc/signon
    Example 2
    curl -s -i -H 'CertificateAuthentication:true' -H 'X-XSRF-TOKEN:Y2hlY2tpdA==' -H 
    "Content-Type: application/json" -X POST -d '{"ipAddress":"'<CD_Node_IP>'",
    "protocol":"<TLS1.2|TLS1.1|TLS1.0|SSL>","port":'<Port>'}'
    --cacert /home/user/cdws_cert/ibmcdws.pem
    --cert ./ssl-client.p12 https://<CDWS_HOSTNAME>:<CDWS_Port>/cdwebconsole/svc/signon