Configure Client Certificate Identification Details On Apache HTTP Server

After setting up the client authentication configuration on the Apache HTTP server, configure the identity details of the authenticated client on the Apache HTTP server.

The identity details of the authenticated client can be forwarded as custom HTTP headers to the Core Engine. The Core Engine matches the client identification details from the HTTP headers with the identification details configured on the Config UI.

Note: By default, the Apache HTTP server does not forward the authenticated client identity to TIBCO API Exchange Gateway. Therefore, all requests that TIBCO API Exchange Gateway receives through this channel are identified as being sent by the anonymous user.

TIBCO API Exchange Gateway retrieves the client’s identity from the two custom HTTP header fields CAissuer and SerialNumber. The CAissuer field contains the distinguished name of the certificate authority that issued the client certificate. The distinguished name provides the unique identification of that certificate authority. The SerialNumber HTTP header contains the unique identification of the client in the context of a TIBCO API Exchange Gateway partner. This could either be the client certificate’s serial number, or the certificate’s subject distinguished name.

When TIBCO API Exchange Gateway receives a request that includes these two HTTP header fields, it identifies the partner by matching the values in these two HTTP header fields with the Partner CA Issuer and Partner Serial Number fields in the Partner tab configuration of the Config UI. The Partner CA Issuer contains the identity realm and the Partner Serial Number represents the partner’s identity for that realm.

The serial number uniquely identifies a specific certificate that the partner uses to identify itself. If you use the serial number for the partner configuration, the partner configuration needs to be updated to reflect a new serial number in case a partner’s certificate has expired.

Note: When the partner renews its certificate after the certificate expiration, you do not need to update the TIBCO API Exchange Gateway partner configuration in case you use the subject distinguished name.

The following configuration setup is required on the Apache HTTP server so that TIBCO API Exchange Gateway can identify a partner based on the CAissuer and SerialNumber HTTP header fields:

See for configuration steps.