CentraSite Documentation : Runtime Governance with CentraSite : Run-Time Governance Reference : Built-In Run-Time Actions Reference for APIs : Run-Time Actions Reference : Evaluate WSS X.509 Certificate
Evaluate WSS X.509 Certificate
If you have a native API that requires to authenticate a client to the Integration Server using the WS-Security authentication, you can use the Evaluate WSS X.509 Certificate action to extract the client identity certificate from the WS-Security SOAP message header, and verify the client's identity.
This action extracts the certificate supplied in the header of an incoming SOAP request and locates the client defined by the information in that certificate. For example, when you have configured this action for an API, the PEP extracts the certificate from the SOAP header at run time and searches its list of consumers for the client that is defined by the certificate.
To use this action, the following prerequisites must be met:
*In Integration Server, create a keystore and truststore, as described in the webMethods Integration Server Administrator’s Guide.
*In Integration Server, create an HTTPS port, as described in the webMethods Integration Server Administrator’s Guide.
*Configure Mediator by setting the HTTPS Ports Configuration parameter, as described in Administering webMethods Mediator.
Mediator rejects requests that do not include the X.509 token of an Integration Server user.
In the case where a client sends a request with transport credentials (HTTP Basic Authentication) and message credentials (WSS Username Token or WSS X.509 Certificate), the message credentials take precedence over the transport credentials when Integration Server determines which credentials it should use for the session. For more information, see Evaluate WSS Username Token and Evaluate HTTP Basic Authentication.
If Mediator cannot identify the client, Mediator fails the request and generates a Policy Violation event.
Input Parameters
Identify Consumer
String. The list of consumers against which the X.509 certificate should be validated for identifying requests from a particular client.
Value
Description
Registered Consumers
Mediator will try to verify the client's X.509 certificate against the list of consumer applications who are registered as consumers for the specified API.
Global Consumers
Default. Mediator will try to verify the client's X.509 certificate against a list of all global consumers available in the Mediator.
Do Not Identify
Mediator forwards the request to the native API, without attempting to verify client's certificate in incoming request.
Copyright © 2005-2015 Software AG, Darmstadt, Germany.

Product LogoContact Support   |   Community   |   Feedback