Certificate token authenticator configuration

This chapter explains the configuration of an Authenticator using the example of the transaction approval configuration.

The same configuration is also applicable for:

  • Adminapp/REST: Adminapp >> REST API Configuration >> Authenticator
  • Loginapp/REST (protected resources): Loginapp >> REST Settings >> Authenticator

The configuration of the transaction approval module is described in detail here: Transaction approval REST API.

The following configuration is only required, if mutual certificate authentication is to be enabled:

  • For mutual authentication, we use the "Certificate Token Authenticator" as shown below.
  • The configuration of the "Request Credential Policy" requires the client to provide a certificate.

The "Certificate Token Authenticator" must be configured with a "Credential Data Certificate Matcher". The certificate matcher will extract the username from the certificate of the client and therefore guarantee that a trusted certificate (see trust store configuration above) was provided. 

If the existence of a trusted certificate is sufficient for the client to be allowed to use the transaction approval endpoint and if there are no requirements to log the username of the client, the configuration is done.