Custom Domain: set client certificate authentication mandatory or not (request or require)

Introduction

When configuring a custom domain you can decide if you want it to be accessed via client certificate authentication or not. This is achieved by the switch require or request using the set-ssl-host neo java sdk command.

Prerequisites

• An SSL Host created on your SCPI Global Account
• SAP neo-java-web-sdkinstalled on your local machine

Configure the switch, test the different behaviour

Let’s call a SOAP-based (request-reply) SCPI application from SoapUI. The cases to test are:

• enabling the switch request and connecting via basic authentication (username+password)
• enabling the switch require and connecting via client certificate

REQUEST

Set the switch to request.

Call the WS from SoapUI. Insert username and password and test the connection.

Connection works.

REQUIRE

Set the switch to require.

Call the WS from SoapUI. Insert username and password and test the connection: an error is prompted (Connection reset).

Connection doesn’t work.

Let’s create a certificate with KeyStore Explorer. It’ll be used for the SSL client authentication.

Open KeyStore Explorer:

• New KeyStore
• choose JKS
• right click, Generate Key Pair
• insert the Subject information (CN, O, ST, etc.)
• apply and save
• double click on the KeyStore, Export

Add a certificate-to-user mapping entry in SCPI.

Assign role ESBMessaging.send to the just created username.

Load the jks file into SoapUI. For more information on how to do it, go through this page.

Test the connection.

Connection works.

One more difference: browser response

If you contact your custom domain from browser, you will see a different response depending on the switch.

REQUEST

By calling the cxf resource, the server responds with the domain certificate.

REQUIRE

Whereas if the switch require is set, the certificate is not even shown.

Thanks for reading.