Executing Services using Two-way SSL

Summary

Two-way SSL authentication, also referred to as client or mutual authentication or certificate-based authentication, refers to two parties authenticating each other by verifying the provided digital certificate, so that both the parties are assured of the other's Identity.

Two-way SSL authentication involves the following steps:

  1. Client (Postman, SoapUI) requests access to protected resources of server (IBM® webMethods Cloud Container).

  2. Server presents its certificate to the client.

  3. Client validates the server's certificate.

  4. Client sends its certificate to the server.

  5. Server verifies the client's certificate.

  6. If successful, the server grants access to the protected resources requested by the client.

In this tutorial, we will create a solution in IBM webMethods Cloud Container, expose the services over HTTP (exposing the service over HTTP allows the services to be executed from an outside environment), and then execute the services using two-way SSL authentication by using a REST Client (Postman). You can also use the same technique for SOAP APIs, REST APIs, or any other exposed APIs.

Actors

  • Integration developers who develop and expose the integrations over HTTPS in webMethods Cloud Container.
  • Integration executors who run integrations.

Before You Begin

  • You must have the permissions to create solutions and execute services in IBM webMethods Cloud Container under Settings > Access Profiles > Administrative Permissions > Functional Controls > Solutions.

  • Ensure that you deploy services from on premises using Designer.

Basic Flow

  1. Log in to IBM webMethods Cloud Container.

  2. Create a Solution.

  3. Click Settings > Client Certificate > Manage Certificate.

  4. Select the User. You can either upload a certificate to the user if there are any available CA-signed certificates, or you can generate and assign a certificate to the user. Click Browse to upload a certificate if you want to use the user's own certificate or click Generate Private Key and Certificate to generate and download the private key and certificate for the user. For Tenant level, basic authentication is mandatory for two-way SSL API execution calls.

    After downloading the file, copy the private key to a file and name it as \{privateKeyFileName\}.key and the certificate to a file and name it as \{publicKeyFileName\}.crt.

  5. Open a REST client, click Settings > Certificates, and then click Add Certificate.

  6. The Add Certificate page appears. Configure the certificate and private key.

  7. Specify the Host name and the port number as 8443. Specify the location of the key files, that is, the CRT file (certificate) and the KEY file (private key). Click Add to save the two-way SSL configuration.

  8. Open a new tab and add the request details you have obtained from webMethods Cloud Container.

  9. To run the services, configure a POST request and click Send. Change the port to 8443 of your service. URL is https://mydomain.container.webmethodscloud.com:8443/<Your service URL>.

Exceptions

The following errors may occur in the REST Client when there is a certificate mismatch between what is specified in IBM webMethods Cloud Container with what is sent from the REST Client.

  • The server could not send a response.
  • Self-signed SSL certificates are blocked.