Evaluate WSS X.509 Certificate
If you have a native API that requires to authenticate a client to the Integration Server using the WS-Security authentication, you can use the Evaluate WSS X.509 Certificate action to extract the client identity certificate from the WS-Security SOAP message header, and verify the client's identity.
This action extracts the certificate supplied in the header of an incoming SOAP request and locates the client defined by the information in that certificate. For example, when you have configured this action for an API, the PEP extracts the certificate from the SOAP header at run time and searches its list of consumers for the client that is defined by the certificate.
To use this action, the following prerequisites must be met:
In
Integration Server, create a keystore and truststore, as described in the
webMethods Integration Server Administrator’s Guide.
In
Integration Server, create an HTTPS port, as described in the
webMethods Integration Server Administrator’s Guide.
Configure
Mediator by setting the HTTPS Ports Configuration parameter, as described in
Administering webMethods Mediator.
Mediator rejects requests that do not include the X.509 token of an Integration Server user.
In the case where a client sends a request with transport credentials (HTTP Basic Authentication) and message credentials (WSS Username Token or WSS X.509 Certificate), the message credentials take precedence over the transport credentials when Integration Server determines which credentials it should use for the session.
If Mediator cannot identify the client, Mediator fails the request and generates a Policy Violation event.
Input Parameters
Identify Consumer | (String). The list of consumers against which the X.509 certificate should be validated for identifying requests from a particular client. |
Value | Description |
Registered Consumers | Mediator tries to verify the client's X.509 certificate against the list of consumer applications who are registered as consumers for the specified API. |
Global Consumers | (Default). Mediator tries to verify the client's X.509 certificate against a list of all global consumers available in the Mediator. |
Do Not Identify | Mediator forwards the request to the native API, without attempting to verify client's certificate in incoming request. |