Creating and using certificates for automation authentication

About this task

In addition to Session Tokens and Personal Access Tokens, the IBM Copy Services Manager server supports the creation of client certificates for authenticating to the server.

Client certificates provide mutual TLS level authentication that uses x.509 certificates. These certificates provide a higher level of protection in communicating with server. Client certificates can be created through the IBM Copy Services Manager GUI and given a longer expiration so that automation can use them without requiring a user ID and password.

After you create the Client Certificate, you can use it in any REST call to the server that uses the "X-Client-Certificate" header until it expires or is revoked.

Procedure

Login to the IBM Copy Services Manager GUI as the user that automation uses to issue calls to the server. All calls to the server that use the created certificate have the authority based on the user who created the certificate.
In the upper right hand corner, hover over the username for the currently logged in user and in the pull down that pops up click Manage Authentication.
Under the Certificate Authentication Management section, click the Manage Certificates button.
In the Certificate Authentication popup, click the Create Client Certificate button.
Optionally enter a name for the certificate.
Enter or select the number of days before the certificate is automatically expired. The server administrator configures the maximum number of allowed days, which is displayed below the expiration days pull down.
Click the Create Certificate button.
Click the Download a Certificate button to download the .pem file, which can then be used when you make a REST calls to the server. Unlike Personal Access Tokens, the user can redownload the certificate at any time.
Store the certificate safely and use it in any REST calls to the server that uses the "X-Client-Certificate" header and entering the contents of the .pem file.