Custom Domain: set client certificate authentication mandatory or not (request or require)
When configuring a custom domain you can decide if you want it to be accessed via client certificate authentication or not. This is achieved by the switch require or request using the set-ssl-host neo java sdk command.
- An SSL Host created on your SCPI Global Account
- SAP neo-java-web-sdkinstalled on your local machine
Configure the switch, test the different behaviour
Let’s call a SOAP-based (request-reply) SCPI application from SoapUI. The cases to test are:
- enabling the switch request and connecting via basic authentication (username+password)
- enabling the switch require and connecting via client certificate
Set the switch to request.
Call the WS from SoapUI. Insert username and password and test the connection.
Set the switch to require.
Call the WS from SoapUI. Insert username and password and test the connection: an error is prompted (Connection reset).
Connection doesn’t work.
Let’s create a certificate with KeyStore Explorer. It’ll be used for the SSL client authentication.
Open KeyStore Explorer:
- New KeyStore
- choose JKS
- right click, Generate Key Pair
- insert the Subject information (CN, O, ST, etc.)
- apply and save
- double click on the KeyStore, Export
Add a certificate-to-user mapping entry in SCPI.
Assign role ESBMessaging.send to the just created username.
Load the jks file into SoapUI. For more information on how to do it, go through this page.
Test the connection.
One more difference: browser response
If you contact your custom domain from browser, you will see a different response depending on the switch.
By calling the cxf resource, the server responds with the domain certificate.
Whereas if the switch require is set, the certificate is not even shown.
Thanks for reading.