Partner Identification

TIBCO API Exchange Gateway uses the Partner Serial number and Partner Issuer CA from the header fields of the incoming request to uniquely identify the partner. The gateway maps the authenticated users from the transport headers to validate the identified partner in the gateway configuration repository.

The Partner Serial Number and Partner Issuer CA are configured on the PARTNER > Partners tab of the Config UI for a project configuration.

For example, for HTTP or HTTPS transport, the partner is identified as follows:

Anonymous user
If no user is specified in the incoming request, the Core Engine considers this request as a request from anonymous user which is not authenticated. The Core Engine looks for the partner name defined by the tibco.clientVar.ASG/anonymous/PartnerName/Authenticated property in ASG_CONFIG_HOME/asg.properties file. The Core Engine matches the value of this property with the value defined by Partner Name field under Partners tab on the Config UI. If both the values match, the Core Engine further processes the request.
For example, the property is defined in ASG_CONFIG_HOME/asg.properties file as follows:
```
   tibco.clientVar.ASG/anonymous/PartnerName/Authenticated=anon_partner
```
To process any unauthenticated requests where no user is specified in the request, configure a partner as anon_partner under PARTNER > Partners tab on the Config UI.
If there is a mismatch, then the Core Engine rejects the partner with Authorization error.
By default, the gateway provides an anon partner to handle the requests from unauthenticated users.
```
tibco.clientVar.ASG/UseDefaultIfPartnerNotFound
```
The property comes into action when Partner does not match Serial number or Issuer CA and even then you want to fall-back on it as default anon so that the request is successfully processed.
Mutual SSL Authentication
If the Core Engine receives the request using mutual SSL authentication mechanism, the partner is identified by the certificate issuer and serial number from the certificate retrieved from the SSL headers.
The Core Engine retrieves the user name and issuer CA from the request headers. The Core Engine matches the user name and issuer CA as specified in the request header with the Partner Serial Number and Partner Issuer CAfields under Partners tab on the Config UI.
If there is a mismatch, the Core Engine rejects the partner with Authorization error.

The following table explains the values of partner identification fields for various authentication mechanisms:

Partner Identification Fields
Parameter	Description
SSL Mutual authentication (Apache HTTP Server)
Partner Serial Number	Subject DN from the X.509 certificate of the client.
Partner Issuer CA	Issuer DN from the X.509 certificate of the client.
Basic Authentication (Apache HTTP Server)
Partner Serial Number	username
Partner Issuer CA	`O=TIBCO;CN=ASG;CN=HTTP;CN=Basic Domain`
Basic/UsernameToken Authentication (LDAP)
Partner Serial Number	LDAP DN of the authenticated user.
Partner Issuer CA	`urn:www.tibco.com`
UsernameToken authentication (File based)
Partner Serial Number	username
Partner Issuer CA	`urn:www.tibco.com`

Subtopics