Mutual SSL Authentication

When the client sends a request using HTTPs transport, TIBCO API Exchange Gateway supports the authentication of the client based on the digital certificates. This is known as two-way (mutual) SSL authentication.

Mutual SSL authentication is also referred as client authentication, as with client authentication the client presents its certificate to the server after the server authenticates itself to the client.

TIBCO API Exchange Gateway uses X.509 digital certificates for mutual SSL authentication and to authorize client requests. In this case, authorization of the request is based on the trusted identity in the gateway processing pipeline. The trusted identity is represented by the digital certificate's X.509 subject distinguished name or the certificate's serial number.

TIBCO API Exchange Gateway uses the Apache HTTP server to terminate the incoming HTTP and transports. The actual mutual SSL authentication is handled in the Apache module of the TIBCO API Exchange Gateway. The Apache module authenticates each client request and extracts credentials from the X.509 certificate. The facade layer of the gateway uses those credentials to authorize the request before forwarding it to the Core Engine.

Perform the following high-level steps for mutual SSL authentication.

• Generate Keys and Certificates
  
• Configure SSL on Apache HTTP Server
  You must configure SSL on Apache HTTP server for secure communications.
• Configure Client Authentication with Digital Certificates on Apache HTTP Server
  You must configure client authentication on Apache HTTP server for mutual SSL communications.
• Configure Client Certificate Identification Details On Apache HTTP Server
  After setting up the client authentication configuration on the Apache HTTP server, configure the identity details of the authenticated client on the Apache HTTP server.
• Register Partners on Config UI
  

Copyright © Cloud Software Group, Inc. All rights reserved.