Authorization by using SSL Client Certificates

Client authentication data for SSL X509 certificates can be propagated into the local environment and used for authorization.

When you implement a message flow to use SSL authentication, you can check authenticated client certificates for authorization. When a security profile is configured for authorization and set on the input node, the data is passed to a security manager. An integration node security manager receives relevant parts of the certificate for authorization and sends it to the properties parser. During authentication, data from the identity or security token that is provided replaces the values in the properties tree identity fields. This data can be from a Basic-Auth transport header or a WS-Security token, for example. Parameter data in the certificate replaces fields in the properties tree. The following fields are reset with new data:
  • The IdentitySourceType is set to the user name.
  • The IdentitySourceToken is set to the subject name of the client certificate.
  • The IdentitySourceIssuedBy is set to the issuer name of the client certificate.

When you use the SOAPInput, HTTPInput, SCAInput, or TCPIPServerInput nodes, properties tree fields contain the information from the client certificate. Propagation is not automatically enabled but when it is enabled, a certificate is processed throughout the message flow and propagated for output or request nodes. By populating the local environment, the certificate data becomes available to the rest of the message flow.

A higher level of authentication (such as Basic-Auth or WS-Security) can overwrite the properties tree. Because of missing properties tree data, you are unable to authorize the client at the input node. However, you can use a SecurityPEP node to locate authentication (or other certificate) fields in the local environment to do the authorization. You can locate client certificates by using the local variable LocalEnvironment.input_node_name.Input.TransportSecurity.ClientAuth.Certificate, where input_node_name is one of SOAP, HTTP, SCA, or TCPIP.

Different nodes access the client certificate in different ways:
  • Use a SecurityPEP node for authorization of the subject field in a client certificate that is received by a SOAPInput node. Specify the following XPath in the identity token location property on a SecurityPEP node:
    $LocalEnvironment/SOAP/Input/TransportSecurity/ClientAuth/Certificate/Subject 
    For more information about the SecurityPEP node, see SecurityPEP node.
  • Use a JavaCompute node to retrieve the issuer field in a client certificate that is received by an HTTPInput node.
    String clientCertSubject = localEnv.getFirstElementByPath("HTTP/Input/TransportSecurity/ClientAuth/Certificate/Issuer").getValueAsString(); 
    For more information about the JavaCompute node, see JavaCompute node.
  • Use a Compute node to set the subject field of a certificate that is received by a TCPIPServerInput node.
    SET LocalEnvironment.TCPIP.Input.TransportSecurity.ClientAuth.Certificate.Subject = 'BROKERUSER'; 
    For more information about the Compute node, see Compute node.