Evaluate Client Certificate for SSL Connectivity
If you have a native API that requires to authenticate a client to the Integration Server using the Secure Sockets Layer (SSL) client authentication, you can use the Evaluate Client Certificate action to extract the client's identity certificate, and verify the client's identity (certificate-based authentication).
This form of authentication does not occur at the message layer using a user ID and password or tokens. This authentication occurs during the connection handshake using SSL certificates.
This action extracts the client identity certificate supplied by the client to the Mediator during the SSL handshake over the Transport layer. For example, when you have configured this action for a proxy API, the PEP extracts the certificate from the Transport layer. In order to identify clients by transport-level certificates, the run-time communication between the client and the Mediator must be over HTTPS and the client must pass a valid certificate.
To use this action, the following prerequisites must be met:
In
Integration Server, create a keystore and truststore, as described in
webMethods Integration Server Administrator’s Guide.
In
Integration Server, create an HTTPS port as described in the
webMethods Integration Server Administrator’s Guide.
Configure
Mediator by setting the HTTPS Ports Configuration parameter, as described in
Administering webMethods Mediator.
Mediator rejects requests that do not include a client certificate during the SSL handshake over the Transport layer.
If Mediator cannot identify the client, Mediator fails the request and generates a Policy Violation event.
Input Parameters
Identify Consumer | (String). The list of consumers against which the client certificate should be validated for identifying requests from a particular client. |
Value | Description |
Registered Consumers | Mediator tries to verify the client identify certificate against the list of consumer applications who are registered as consumers for the specified API. |
Global Consumers | (Default). Mediator tries to verify the client identify certificate against a list of all global consumers available in the Mediator. |