Requiring or Requesting Client Certificates
Integration Server provides the option of configuring the gRPC server to request or require client certificates. It might be useful to not require client certificates in a development environment. The value of the watt.server.grpc.clientCertRequired server configuration parameter determines whether client certificates are required or merely requested.
Note:
It is more secure to require client certificates. Set watt.server.grpc.clientCertRequired to true to require certificates from gRPC clients.
How the gRPC server authenticates a client is determined by the watt.server.grpc.clientCertRequired value and the information provided by the client.
If
watt.server.grpc.clientCertRequired is set to true, the gRPC server in
Integration Server is configured to
require certificates, the client request must include a certificate. The gRPC server checks whether the certificate exactly matches a client certificate on file and is signed by a trusted authority.
If the gRPC server determines the certificate is valid and signed by a trusted authority, then
Integration Server attempts to match the certificate to one mapped to an existing
Integration Server user. If a match is found, the client is logged in as the user to which the certificate is mapped.
Integration Server invokes the gRPC method flow service that corresponds to the requested gRPC method with the user credentials associated with the mapped certificate.
If the client provides a valid certificate but there is no user mapped to the certificate and central user management is configured, Integration Server checks whether the certificate is mapped to a user in the central user database. If a match is find in the central user database, Integration Server logs the client on as that user.
If there is no user mapped to the certificate on Integration Server or in the central user database, the client request fails.
If the gRPC server determines the certificate is invalid, the client request is denied.
If
watt.server.grpc.clientCertRequired is set to false, the gRPC server is configured to
request certificates and the client provides certificates, authentication proceeds as described for when certificates are required. If the client does not provide certificates,
Integration Server checks the metadata in the request message for the custom headers AuthUser and AuthPass. A gRPC client can add these custom metadata headers to provide the username and password, respectively, for an
Integration Server user.
If AuthUser and AuthPass are provided,
Integration Server authenticates the user as it normally would. Then, if access is granted,
Integration Server invokes the gRPC method flow service that corresponds to the gRPC method called by the client.
If the gRPC client does not supply AuthUser and AuthPass,
Integration Server logs the client in as the default user which grants the client to anonymous services only.