Adding client certificates

IBM® webMethods Integration allows you to store the client certificates and associates a certificate with a user account. You can add client certificates for users on the Client Certificate page. When a user runs a Flow service through the HTTP interface, or a REST API, or a SOAP API, the user authentication happens with the certificate.

A tenant certificate enables you to configure your organization-level certificate so that incoming traffic for execution can be authenticated against the tenant certificate. If a tenant certificate is configured along with a user certificate, then the user certificate validation takes precedence. Tenant level certificates can be generated only by administrators and using the tenant certificate, you can run integrations for all users in that tenant.

Note: An administrator can generate or replace certificates for all users. Normal users can generate only their own certificates.

  1. From the IBM webMethods Integration navigation bar, click on the profile icon located at the top-right corner of the IBM webMethods Integration home screen and select Settings > Client Certificate > User Certificate.

  2. In the Select User field, select a user. Only active users are listed in the Select User field.

  3. In the Select Certificate field, if you want to upload a new certificate, select Upload New Certificate and click Browse File to upload a new client certificate signed by a trusted certificate authority (CA). If a valid certificate is configured for a user, the Certificate Details panel displays the configured certificate. You can click Download to download the user certificate or click Delete to delete the user certificate. The downloaded file is named as username.crt.

    In the Select Certificate field, you can also select Generate Private Key and Certificate and click Generate if you want IBM webMethods Integration to generate a private key and a new IBM webMethods Integration signed client certificate. IBM webMethods Integration validates it against the issuer of the certificate. The generated certificate is named as username.fileformat. The file format is based on the certificate format (.txt, .jks, .pkcs12, or .pfx) selected while generating the certificate. The certificate contains the private key and the client certificate.

Note:

  • The default password for the generated certificate is changeit. It is recommended to change the password.

  • It is not recommended to use the generated client certificate for any other purpose than intended.