Partner Identification
TIBCO API Exchange Gateway uses the Partner Serial number and Partner Issuer CA from the header fields of the incoming request to uniquely identify the partner. The gateway maps the authenticated users from the transport headers to validate the identified partner in the gateway configuration repository.
The Partner Serial Number and Partner Issuer CA are configured on the PARTNER > Partners tab of the Config UI for a project configuration.
For example, for HTTP or HTTPS transport, the partner is identified as follows:
- Anonymous user
If no user is specified in the incoming request, the Core Engine considers this request as a request from anonymous user which is not authenticated. The Core Engine looks for the partner name defined by the tibco.clientVar.ASG/anonymous/PartnerName/Authenticated property in ASG_CONFIG_HOME/asg.properties file. The Core Engine matches the value of this property with the value defined by Partner Name field under Partners tab on the Config UI. If both the values match, the Core Engine further processes the request.
For example, the property is defined in ASG_CONFIG_HOME/asg.properties file as follows:
tibco.clientVar.ASG/anonymous/PartnerName/Authenticated=anon_partner
To process any unauthenticated requests where no user is specified in the request, configure a partner as anon_partner under PARTNER > Partners tab on the Config UI.
If there is a mismatch, then the Core Engine rejects the partner with Authorization error.
By default, the gateway provides an anon partner to handle the requests from unauthenticated users.
- Mutual SSL Authentication
If the Core Engine receives the request using mutual SSL authentication mechanism, the partner is identified by the certificate issuer and serial number from the certificate retrieved from the SSL headers.
The Core Engine retrieves the user name and issuer CA from the request headers. The Core Engine matches the user name and issuer CA as specified in the request header with the Partner Serial Number and Partner Issuer CA fields under Partners tab on the Config UI.
If there is a mismatch, the Core Engine rejects the partner with Authorization error.
The following table explains the values of partner identification fields for various authentication mechanisms:
| Parameter | Description |
|---|---|
| SSL Mutual authentication (Apache HTTP Server) | |
| Partner Serial Number | Subject DN from the X.509 certificate of the client. |
| Partner Issuer CA | Issuer DN from the X.509 certificate of the client. |
| Basic Authentication (Apache HTTP Server) | |
| Partner Serial Number | username |
| Partner Issuer CA | O=TIBCO;CN=ASG;CN=HTTP;CN=Basic Domain |
| Basic/UsernameToken Authentication (LDAP) | |
| Partner Serial Number | LDAP DN of the authenticated user. |
| Partner Issuer CA | urn:www.tibco.com |
| UsernameToken authentication (File based) | |
| Partner Serial Number | username |
| Partner Issuer CA | urn:www.tibco.com |