Enable SSL with Mutual Authentication

The API Portal Integration services support two types of authentication methods:
The API Portal Integration services support two types of authentication methods:
  • HTTP Basic authentication (using SSL)
  • Certificate-based authentication (using SSL with client-mutual authentication)
Certificate-based authentication is the preferred method. The HTTP Basic method depends on the Gateway administrator account that you created for the API Portal, which by default expires after 90 days.
 The HTTP Basic authentication method is acceptable in a testing environment, but certificate-based authentication should be used in a production environment, to prevent the l7apiportal account from being locked out. To enable SSL with mutual authentication:
To enable SSL with mutual authentication:
    1. Create a user with the certificate “CN” value:
      1. In the Policy Manager, select the Identity Providers tab.
      2. Right-click Internal Identity Provider and then select Create User. The Create Internal User dialog opens. Complete the dialog as follows:
          User Name
          : Enter the fully qualified host name of your API Portal (for example, 
          : Create a password. The password must be at least eight characters and must contain at least one lowercase character.
          Retype the password to confirm.
      3. Click 
        . The user is created.
      4. Right-click 
        Internal Identity Provider
         and then select 
        Search Identity Provider
        . The Search Identity Provider dialog opens.
      5. Click 
         to display the internal users.
      6. Locate the user that you just created (for example, 
        ) and then click 
        . The properties dialog for that user appears.
      7. Select the 
         tab and then click 
        . The Add Certificate Wizard appears.
      8. In Step 1 of the wizard, select 
        Import from a file
         and then click 
      9. Navigate to the certificate file (for example, 
        ) that you saved in step 3g of the procedure for generating a private key for the API Portal (Generating a Private Key for the API Portal). Select the file and click 
      10. Click 
         and then examine the certificate details. In particular, ensure that the “Issued to:” value that is shown matches the internal user that you just created.
      11. Click 
         to complete the wizard. Your system is now configured for mutual authentication over SSL.
    2. Assign Administrative rights to the newly created user:
      1. Depending on the Policy Manager installed, do the following:
        • In the Policy Manager version 9.0, select 
          Manage Roles
        • In the Policy Manager version 9.1 and above, select
           Users and Authentication
          Manage Roles
      2. Select 
         from the list of Roles, click 
        in the Role Assignments section. The Search Identity Provider dialog box opens.
      3. Leave all settings at their defaults and then click 
      4. Select the user with the certificate “CN” name from Step 1 b (for example, 
        ) from the Search Results and then click 
        . This adds the user to the Administrator role.
      5. Click 
         to close the Manage Roles dialog.
    3. (Optional) To set up mutual SSL with the API Explorer, create a user account for it. See 2. Create a User Account for the API Explorer.