Configuring Certificate based Authentication
About this task
The following sections list tasks that you need to perform by interface, to enable certificate-based authentication in your Connect:Direct deployment.
Procedure
-
Configuring REST Client for certificate-based authentication
- Import Connect:Direct Web Service's Self signed or CA certificate into REST client's Truststore.
- Create/Import REST client's identity certificate that is, Self signed/CA signed certificate into the client's Keystore.
- Add the following header parameter when you form a Web Service JSON request with the REST
client:
CertificateAuthentication=true
-
Configuring Connect:Direct Web Services for certificate-based
authentication
- Import REST client’s Self signed or CA certificate into Connect:Direct Web Service's Truststore.
- Add REST client certificate fingerprint in
application.properties
file in the following format.If the Common Name=myvalidcertificate.com and
Fingerprint=7F:87:9C:53:4A:EA:89:D6:3F:0D:31:15:12:F4:89:ED:0A:1A:A6:F6: 8B:85:3B:72:FF:2F:44:70:00:59:57:7B
Then
certificate.finger.print
value should be:certificate.finger.print= myvalidcertificate.com; 7F:87:9C:53:4A:EA:89: D6:3F:0D:31:15:12:F4:89:ED:0A:1A:A6:F6:8B:85:3B:72:FF:2F:44:70:00:59:57:7B
Note: To obtain fingerprint value issue commands defined below:Using OpenSSLopenssl x509 -noout -fingerprint -sha256 -inform pem -in cert.pem (Only SHA-256 is supported)
Using iKeyMan CLI interfacekeytool -list -keystore <CDWS_Keystore> -storepass <password> -alias <Certificate_alias_name> -v Label: myvalidcertificate Key Size: 2048 Version: X509 V3 Serial Number: 5D 36 B8 9D Issued by: CN=myvalidcertificate.com, O=Orgname, L=locationName, ST=StateName, C=CountryName Subject: CN=myvalidcertificate.com, O=Orgname, L=locationName, ST=StateName, C=CountryName Valid: From: Tuesday, July 23, 2019 1:04:53 PM IST To: Thursday, July 22, 2021 1:04:53 PM IST Fingerprint: SHA1: AC:59:F7:0F:AC:EB:B0:1F:43:08:BF:D6:57:1E:4A:7B:60:2C:78:58 SHA256: D5:6B:45:97:F9:E1:84:5E:B9:D4:2B:99:32:4A:69:8E:12:C1:53:82:BD:7B:F0:E7:ED:F6:8B:5A: 29:9C:E2:B6 HPKP: mzJLrZbXK0B9dZ+BmX+vwCVvl2YTPOnei144ubbAZCQ=
- Add/Import Connect:Direct Server's Self signed/CA signed certificate into Connect:Direct Web Service's Truststore. With v6.1, IBM® Connect:Direct® Web Service now extends its web console capabilities to support import and export certificates into an existing Truststore. To use this feature, login as an Admin users and click Certificates> Trust Certificate > Import.
-
Configure Connect:Direct Server to enable certificate-based
authentication. For more information see, Configure Certificate Authentication for Client API
Connections.
Note: Restart Connect:Direct Web Services for changes to take effect.Example 2
Example cURL command format
Invoke cURL commands in the following format, when using certificate-based authentication method, to sign into Connect:Direct Server:
Example 1curl -s -i -H 'CertificateAuthentication:true' -H 'X-XSRF-TOKEN:Y2hlY2tpdA==' -H "Content-Type: application/json" -X POST -d '{"ipAddress":"'<CD_Node_IP>'", "protocol":"<TLS1.2|TLS1.1|TLS1.0|SSL>","port":'<Port>'}' --cacert /home/user/cdws_cert/ibmcdws.pem --cert ./cert.pem --key key.pem https://<CDWS_HOSTNAME>:<CDWS_Port>/cdwebconsole/svc/signon
curl -s -i -H 'CertificateAuthentication:true' -H 'X-XSRF-TOKEN:Y2hlY2tpdA==' -H "Content-Type: application/json" -X POST -d '{"ipAddress":"'<CD_Node_IP>'", "protocol":"<TLS1.2|TLS1.1|TLS1.0|SSL>","port":'<Port>'}' --cacert /home/user/cdws_cert/ibmcdws.pem --cert ./ssl-client.p12 https://<CDWS_HOSTNAME>:<CDWS_Port>/cdwebconsole/svc/signon