webMethods

Hi,

Is there a way to receive the client certificate information, used for client authentication during a web service call?

I have a package, with a REST (POST) Service. When I start the request from my Postman using the client certificate I can successfully call the service.
I wanted to know if there is a way to obtain some information about the client certificate or directly the byte array of the certificate in order to use the pub.security.util:getCertificateInfo service.

Thank you in advance,
Alessio

Hi Alessio,
In your service, you can invoke the following Java APIs to get the client certificate chain. If there were no client certificates presented then null will be returned.

import com.wm.app.b2b.server.InvokeState;
import com.wm.app.b2b.server.ProtocolState;

ProtocolState protocolState = (ProtocolState)InvokeState.getCurrentState().getProtocolInfoIf();
X509Certificate[] certificateChain = protocolState.getCertificateChain();

Hi Alessio,
There is no direct way or public services to get the client certificate. Generally the pub.flow:getTransportInfo service gets the details of the client related to transport level like protocol, host address etc… but it missing certificate info. It might be good to add it.

In general, all the client certificates are mapped to an user and stored in database table (IS_CERTIFICATE_MAP). So one of the indirect way would be to query the database based on the logged in user () to get the certificates and pass it to pub.security.util:getCertificateInfo.

Thanks.

Hi Jaideep,

querying the database sounds like a good idea, but instead of selecting the certificate for the user being logged in I would suggest to use the certificate for the user which is configured on the remote side as allowed user for invoking the rest service.

When IS is the hosting Server this will be done automatically by the AuthManager inside IS but for outgoing connections this needs to behandled separately by adding the certificates as Keystores (with corresponding Truststores) and assign these Keystore and Truststore Aliases to setCertificate before invoking the external REST ressource.

If this does not meet the question of the original post I would suggest to provide some more details why the client certificate info needs to be checked inside the service.
As long as the certificate of the external user is correctly mapped to the user in IS, the user is mapped to the correct ACL, the certificate is trusted/valid and the service can be successfully invoked using this certificate/user there is usually no need to perform deeper checks on this certificate as all of these have already been done by internal mechanisms of the IS.

Regards,
Holger

“…I would suggest to provide some more details why the client certificate info needs to be checked inside the service…”

I think Alessio can better explain the usecase of checking the certificate details.

Thanks.