Client certificate authentication for FTM
Authentication for the Operations and Administration Console (OAC) and RESTful APIs and SOAP Web Services uses a user registry that is configured in WebSphere® Liberty. Client certificate authentication is supported when enabled and configured for four Liberty components.
- Operations and Administration Console (OAC)
- Business Rules web services
- Gateway web services
- Common Services web services
For more information about Operations and Administration Console (OAC), see Operations and Administration Console (OAC).
For more information about RESTful APIs and SOAP Web Services, see RESTful APIs and SOAP Web Services.
By default, client certificate authentication uses the basic realm to authenticate users. The default certificate mapping mode is the PRINCIPAL_CN mapping mode to authenticate the username.
- Import the extra client certificates to the Liberty truststore. For more information about adding trusted certificates in Liberty, see User-supplied certificates for external applications.
- Enable client certificate authentication by creating the web-app-auth-method.xml file
with following XML stanza.
<server> <variable name="WEB_APP_AUTH_METHOD" defaultValue="CLIENT_CERT"/> </server> - Copy the file to the Liberty configuration dropins folder. Client certificate authentication is supported with the basic and LDAP user registries. The following sections describe additional configuration that might be needed.
Client certificate authentication with basic user registry
Client certificate authentication defaults to using the basic realm to authenticate users. The basic
registry XML file is where the fxhadmin user is defined. However, when a custom configuration
such as the client certificate authentication Liberty dropin is detected, the
basic-registry.xml file is not added to Liberty. You need to
explicitly define the basic registry whenever you customize the server.xml file.
<server>
<basicRegistry id="basic" realm="BasicRealm">
<user name="fxhadmin" password="${FXH_PASSWORD}"/>
</basicRegistry>
<administrator-role>
<user>fxhadmin</user>
</administrator-role>
</server>Client certificate authentication with LDAP user registry
If you want to use a custom LDAP user registry, you need to define a certificate filter. A certificate filter identifies which elements from the certificate are used to find the user in the LDAP registry. For more information, see LDAP certificate map mode and Configuring LDAP user registries in Liberty in the IBM® WebSphere Liberty documentation.
When a custom configuration such as the client certificate authentication Liberty dropin is detected, the basic-registry.xml file is not added to Liberty. You need to explicitly define the LDAP user registry whenever you customize the server.xml file.