Implemented X509 certificate authentication for SOAP Client

Owned by shreedutta.mukherjee (Unlicensed)
Last updated: Jun 07, 2022
5 min read

Introduction

X509 is a digital certificate built on top of a widely trusted standard known as the ITU or International Telecommunication Union X509 standard, which defines the format of PKI certificates.

Overview

X509 digital certificates are a certificate-based authentication security framework that can be used to provide secure transaction processing and protect personal information. They are used to handle security and identity in computer networks and Internet-based communications. The X509 authentication service relies on public key certificates to authenticate your SOAP connection. It has presumed to be produced by a trusted certification authority, and they're likely to be located in the user's directory. These directory servers are used to make it easy for you to find certificates so that you can securely access the SOAP Client website. The X509 standard is based on a predefined IDL language, known as ASN.1. With the help of Abstract Syntax Notation, the X509 certificate format uses an associated public and private key pair to encrypt and decrypt a message.

In SOAP clients the connection can be secure with the help of X509 certificate authentication. This element is used to provide a certificate for authentication. This digital certificate is based on the internationally accepted ITU X509 standard. This standard defines the format of public key infrastructure (PKI) certificates. They are used to manage identity and security in internet communications and computer networking. They are small and inconspicuous, and we see them all the time when using websites, mobile apps, online documents, and connected devices.

Benefits of X509 certificate authentication

  • The core benefit of the X509 certificate is that it is architected using a key pair consisting of a related public key and a private key. That helps to ensure a secure environment for the SOAP client connections.

  • Digital certificates allow individuals, organizations, and even devices to establish trust in the digital world. As the foundation for all digital identities, X509 certificates are everywhere and are essential to every connected process from websites to applications to endpoint devices and online documents.

  • It has been signed by a publicly trusted issuer Certificate Authority (CA), like Sectigo, or selfsigned.

  • Another advantage of this certificate-based identity approach is scalability. The PKI architecture is extensible enough to protect the billions of messages that an organization exchanges daily over its own network or the Internet. This is possible by allowing a malicious attacker to distribute the public key widely and openly without discovering the private key needed to decrypt the message.

  • X509 digital certificates also provide effective digital identity authentication. Identity protection is more important than ever as data and applications extend beyond traditional networks to mobile devices, public clouds, private clouds, and IoT devices. Also, the digital ID does not have to be limited to the device. It can also be used to authenticate people, data, or applications. Digital identity certificates based on this standard allow organizations to improve security by replacing passwords that attackers are increasingly proficient in stealing.

Use of X509 certificate

The X509 certificate common name (CN) for an application must be the same as the account user name, which is the string that was referred to as the applicationInstanceGroupId in previous versions of Services Gatekeeper. This is provided by the operator when the account is provisioned.

To authenticate using X509 certificate you need to follow the below steps.

  1. Create a web service security configuration.

    For details, view "Create a Web service security configuration"

  2. Generate key pair for the client

    Examples: % keytool -genkey -alias client_cert_x509 -keyalg RSA -keysize 1024 -keypass ClientKey -keystore client_Identity.jks -storepass ClientKey

  3. Export the self-signed certificate.

    Examples: % keytool -genkey -alias server_cert_x509 -keyalg RSA -keysize 1024 -keypass ServerKey -keystore ServerIdentity.jks -storepass ServerKey

  4. Generate the key pair for the server

    Examples: keytool -genkey -alias server_cert_x509 -keyalg RSA -keysize 1024 -keypass ServerKey -keystore ServerIdentity.jks -storepass ServerKey

  5. Export the self-signed certificate:

  6. Import the trust certificates:

  7. Configure the certificates in the Administration Console by pointing the server to the certificates you created in Step 5:

  8. You can use X509 certificates to establish identity.

    For details, view ”Use X509 certificates to establish identity


How to use X509 Certificate In Sapper

  1. To use the X509 certificate you first need to create a SOAP connection. Click on Connection tab from the Sapper homepage.

2. Now click on the create connection option from the right side of the connection tab.

 

3. Once you click on the plus button for create connection a new form will be pop up on the screen.

 

4. Now select the application, on the connection type select SOAP, choose the connection name.

 

5. Choose the password type, in this option you will get the option of Password Text, Password Digest and X509 certificate. Select the X509 certificate option from the dropdown list.

 

6. Now browse the certified or provide the file name for fetching the details of the certificate. 7. Provide the password for securing the connection details.

8. Now save it for completing the configuration.

Key

Description

Example

Key

Description

Example

Select Application

Select the application from the connection dropdown

Workday

Connection Mode

Select the connection mode

Custom

Connection Type

Choose the connection type from the dropdown list

SOAP

Connection Name

Provide the connection name

Workday

Connection Description

Add a description for the connection

Sample

Password Type

Select the password type for the specific connection

Password Text, Password Digest and X509 certificate.

File name

Provide the file name for the X509 certificate

 

User Name

Provide the user name for the specific connection

 

Password

Add the password for the specific connection