The web service plugin supports two authentication methods in the communication between a backend information system and the web service plugin interface:
username/password
TLS certificate.
This article explains how to configure the TLS certificate based authentication (2).
Before starting the configuration steps, please make sure that you have you have access to the backend information system’s client certificate that’s used for TLS authentication.
A self-signed certificate can be generated using the command below:
openssl req -x509 -newkey rsa:2048 -keyout mykey.pem -out mycert.pem -days 365 -nodes
The command generates a private key (mykey.pem) and a certificate (mycert.pem).
Prerequisites
Before starting the actual configuration steps, the certificate ID of the backend system’s client certificate must be constructed.
The certificate ID is constructed taking the CN, O and C fields, and combining them with the serial number converted to decimal value:
CN=<common_name>,O=<organisation>,C=<country_code>:<serial_number_converted_to_decimal_value>
NOTE! The certificate field values can contain letters only - spaces or dots are not allowed!
For example:
Owner: CN=C1, O=Organisation, C=FI Issuer: CN=C1, O=Organisation, C=FI Serial number: be702c89926c48cf
Convert certificate serial number from hex value to decimal value (this converter can be used for the hex - decimal conversion):
be702c89926c48cf => 13722517033976613071
Certificate ID:
CN=C1,O=Organisation,C=FI:13722517033976613071
\uD83D\uDCD8 Instructions
The TLS certificate based authentication can be configured by following the steps below.
Log in to the Access Point admin UI.
Create a new plugin user using the “Certificate” type.
Type in the Plugin User details - including the certificate ID.
Click OK and then Save.
Import the backend information system’s client certificate to the Access Point’s TLS truststore following these instructions.
Send a test request using the client certificate. For example:
curl -E <MY_CERT>.pem --key <MY_KEY>.pem --header "Content-Type: text/xml;charset=UTF-8" --data @<MY_REQUEST_FILE>.xml https://<MY_AP_HOST>:8443/services/backend -v -k
