Overview
Secure Sockets Layer (SSL) is a means of securing communications over a network so that only the sender and receiver have access to the sensitive data.
One-way SSL Connection
In a one-way SSL connection, an anonymous client authenticates the credentials of a server in preparation for setting up a secure transaction, that is, the client only verifies the certificate of the server. In most cases, the server knows nothing about the client's identity because verification of its credentials is not required. When desired, the client can be authenticated using basic authentication by providing a username and password. This type of authentication typifies connections where a browser establishes a connection to a server to perform a secure transaction, for example, viewing a savings account or buying items with a credit card. The client must authenticate the server's credentials before initiating the transaction, but it is not necessary for the server to authenticate and keep a record of every possible client (browser). This type of connection is typically one where a partner application or resource needs to verify the authenticity of the server without itself needing to be authenticated.
Two-Way SSL Connection
Two-Way SSL authentication or client authentication refers to two parties authenticating each other by verifying the provided digital certificate so that both parties are assured of the others' identity. It refers to a client (web browser or client application) authenticating itself to a server and the server also authenticating itself to the client by verifying the public key certificate or digital certificate issued by Certificate Authorities (CAs).
IBM® webMethods Integration supports Two-Way SSL for inbound connections. The request for an SSL connection originates from a client. During the SSL handshake process, the entity acting as the SSL server responds to the request for a connection by presenting its SSL credentials (an X.509 certificate) to the requesting client. If those credentials are authenticated by the client, then either:
-
An SSL connection is established and information is exchanged between the client and the server.
or
-
The next phase of the authentication process occurs, and the server requests the SSL credentials of the client. If the server verifies those credentials, that is, the client's identity, an SSL connection is established and information exchange takes place.
High-level tasks for configuring SSL
The following table provides the high-level tasks for configuring SSL.
| Task | Activities | Notes |
|---|---|---|
| Create keys and certificates. | - Generate a public key/private key pair.- Generate a certificate signing request (CSR) and send it to the certificate authority (CA) for signing.- Receive CA signed client certificate from the CA. | Two-Way SSL connection requires a valid client certificate. |
| Upload client certificate or generate a certificate. | Upload the CA signed client certificate for the user in IBM webMethods Integration, Profile icon > Settings > Client Certificate > User Certificate page or generate a private key and a new IBM webMethods Integration signed client certificate. | Required for Two-Way SSL connections. |
| Connect to IBM webMethods Integration using the client certificate. | Configure the REST client with the private key and certificate. Optionally, you can also pass the basic authentication credentials. | IBM webMethods Integration supports Two-Way SSL on port 8443. |
Two-Way SSL Security modes
IBM webMethods Integration allows you to set the following Two-Way SSL security modes while configuring an SSL connection:
Default
Allow one-way and Two-Way SSL API execution calls. Use either credentials or certificate. In the default mode, API execution with or without Two-Way SSL is allowed. With Two-Way SSL, if you provide both credentials and certificate, the credentials are validated against the user, and the certificate is verified but not validated against the user or tenant certificate. If you provide only the certificate, the certificate is verified and validated against the user certificate.
Force
Allow one-way and Two-Way SSL API execution calls. Certificate is mandatory.In the force mode, API execution with or without Two-Way SSL is allowed. With Two-Way SSL, if you provide both credentials and certificate, the credentials are validated against the user, and the certificate is also verified against the user or tenant certificate. If you provide only the certificate, the certificate is verified and validated against the user certificate.
Exclusive
Allow only Two-Way SSL API execution calls. Certificate is mandatory. In the exclusive mode, API execution with only Two-Way SSL is allowed. With Two-Way SSL, if you provide both credentials and certificate, the credentials are validated against the user and the certificate is also verified against the user or tenant certificate. If you provide only the certificate, the certificate is verified and validated against the user certificate.