Authorization by using SSL Client Certificates
Client authentication data for SSL X509 certificates can be propagated into the local environment and used for authorization.
- The IdentitySourceType is set to the user name.
- The IdentitySourceToken is set to the subject name of the client certificate.
- The IdentitySourceIssuedBy is set to the issuer name of the client certificate.
When you use the SOAPInput, HTTPInput, SCAInput, or TCPIPServerInput nodes, properties tree fields contain the information from the client certificate. Propagation is not automatically enabled but when it is enabled, a certificate is processed throughout the message flow and propagated for output or request nodes. By populating the local environment, the certificate data becomes available to the rest of the message flow.
A higher level of authentication (such as Basic-Auth or WS-Security)
can overwrite the properties tree. Because of missing properties tree
data, you are unable to authorize the client at the input node. However,
you can use a SecurityPEP node
to locate authentication (or other certificate) fields in the local
environment to do the authorization. You can locate client certificates
by using the local variable
where input_node_name is one of
- Use a SecurityPEP node
for authorization of the subject field in a client
certificate that is received by a SOAPInput node. Specify the
following XPath in the identity token location property
on a SecurityPEP node:
For more information about the SecurityPEP node, see SecurityPEP node.
- Use a JavaCompute node
to retrieve the issuer field in a client certificate
that is received by an HTTPInput node.
For more information about the JavaCompute node, see JavaCompute node.
String clientCertSubject = localEnv.getFirstElementByPath("HTTP/Input/TransportSecurity/ClientAuth/Certificate/Issuer").getValueAsString();
- Use a Compute node
to set the subject field of a certificate that
is received by a TCPIPServerInput node.
For more information about the Compute node, see Compute node.
SET LocalEnvironment.TCPIP.Input.TransportSecurity.ClientAuth.Certificate.Subject = 'BROKERUSER';