Certificate Authentication for Client API Connections
The API connection certificate authentication feature allows clients to connect to a Connect:Direct server by using only an SSL Certificate and an unreal user ID. You can configure this feature in the functional authorities of a Connect:Direct node. The API certificate authentication requires no user password since the user ID is unreal.
This feature is specific only to API connections. These connections must also be AIJ-based. When you use the authentication feature, ensure that the version of the AIJ is at least 1.1.00 Fix 000025. This version of the AIJ contains updates that allow blank passwords to be used. These AIJ version requirements also apply if you use the authentication feature in IBM® Control Center. API connection certificate authentication is not supported for the Direct.exe CLI, IBM Connect:Direct Requester, or the Connect:Direct native C/C++/C# non Java APIs.
Configuring API certificate authentication
Client Authentication must be enabled on the Connect:Direct Secure Plus .Client record. Client authentication is not enabled by default in Connect:Direct Secure Plus. During an API connection, a peer certificate is required from IBM Control Center or the AIJ client. That certificate must contain a common name field of an SSL certificate whose contents match a Connect:Direct functional authorities user record in the Connect:Direct node. You also must use a blank password in order for IBM Connect:Direct to trigger the API certificate authentication process.
A new functional authorities configuration parameter is added to Connect:Direct for Microsoft Windows. The parameter specifies whether a specific user can log in as a client via API certificate authentication, and it must be set to Yes when you configure API certificate authentication.