Securing APIs using Mutual Authentication and Application Authentication
In this blog, we will learn how to secure APIs using Mutual Authentication and Application Authentication.
Mutual Authentication:
Enabling Mutual Authentication in API Manager
The initial step is to set up a truststore within the API Manager
- In Provider Organization, navigate to Resources.
- From there to to TLS section.
- First, create a new truststore on the TLS Section.
- Go to the certificates section and add the required certificate there.
Step 2: Create a Server Profile
- Now, to create the server profile.
- Go to the TLS server profile section and give a name for it.
- Set mutual authentication mode to “require”.
- Link the appropriate keystore and truststore to this profile.
- Finalize by saving your settings.
This server profile will be used to associate the truststore and other relevant security configurations needed for mutual authentication.
- Configure the mutual authentication setting to ‘require’ to mandate client certificate validation.
- Make sure you set the mutual authentication to “require”.
- Then, link the relevant keystore and truststore to complete the security setup.
- Save the configurations.
In Postman:
Setting Up Postman for Certificate-Based Requests
Prerequisite:
Ensure that your client certificate is properly added to Postman’s certificate configuration.
Steps:
“Start Postman and click the settings icon located at the top right corner to open the configuration menu.”
- Navigate to the Certificates section within the settings menu.
In the CA Certificates area, upload your client certificate to enable secure communication with APIs requiring certificate-based authentication.
Now test the API.
The API will not work if you don’t provide the Certificate while initiating the request
Application Authentication in API:
Step 1: Configure API for Certificate Authentication
- Create an API and give a name, and specify all the required parameters.
- Go to the gateway tab and go for application authentication.
- Enable the certificate option ( this ensures that the client needs to pass a valid certificate).
This configuration ensures that only clients presenting valid certificates will be able to access the API.
Step 2: Set up a new application using the Developer Portal.
- Log in to the developer portal.
- Select the product you want to subscribe to.
- Select the plan and create an application.
- During application creation, an option will appear to upload a certificate.
- Paste the certificate content in single-line format and subscribe to the product.
Note: The certificate upload option will only be available if Application Authentication is enabled at the API level.
Save and test the API.
To test the API:
- Include your certificate in the request using the X-Client-Certificate header.
- Ensure all other required security headers and credentials are also provided.
