Basic authentication and SSL certificates

General behavior and certificate prerequisites

The web services support basic authentication and authentication via SSL certificates. Both authentication methods can be used in the same ImageMaster system.

If the client provides an SSL certificate and the application server trusts this certificate, SSL authentication is performed.
In all other cases, basic authentication is used.

By default, an ImageMaster user is authenticated with basic authentication based on the username and password.

A user can be configured to have an SSL certificate (via AdminClient or SOAP web service).

The SSL (X.509) certificate must be in PEM format.
Once a user has an associated SSL certificate, the login via username and password will be denied for that user.
Web service access for that user then requires the SSL certificate for access.

The certificate presented by the web service client must be included in the ImageMaster system’s truststore. It must be a version 3 certificate with the extended key usage for client authentication1.

Adding SSL certificates to cacerts.jks

To enable authentication via SSL certificates, import the needed certificates for client authentication into the cacerts.jks keystore.

Client certificates only need to be imported when they cannot be automatically verified.
It is necessary to add both to cacerts.jks (via parameter “-trustcacerts”):
- the final certificate
- the entire chain of issuers.

Use the following command:

keytool –importcert -alias new_client –file new-client.der ‑trustcacerts ‑keystore cacerts.jks

Also see Overview of keytool commands.

Configuring a certificate for a user

Once a certificate is configured for a user, the login via username and password will be denied for that user. To configure a certificate, use the AdminClient or a SOAP web service.

Figure 596: Example AdminClient – users - upload certificate

An example request to create a user with a certificate looks like this:

Copy

Example SOAP request to create user with SSL certificate

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:ns="http://www.tsystems.com/ima9/integrationws/messaging/201101">
   <soap:Header/>     
   <soap:Body>
      <ns:createUser>
         <user name="testUser" fullName="testUser" isSystemUser="false" mail="test@user.de" 
               isActive="true" expirationDate="2050-12-31" 
               passwordExpirationDate="2050-12-31" isTwoFactor="false" 
               isLocked="false" password="secret">
            <roles>
               <!--0 to 1000 repetitions:-->
               <role>roleAdmin</role>
            </roles>
            <!--Optional:-->
            <groups>
               <!--0 to 1000 repetitions:-->
               <!--<group>?</group>-->
            </groups>
            <properties>
               <!--0 to 10000 repetitions:-->
               <!--<property key="?">?</property>-->
            </properties>
            <!--Optional:-->
            <sslCertificate>-----BEGIN CERTIFICATE-----
MIIFDjCCAvagAwIBAgIUOXCQWT3sfUaG05WbBSVleWe03DEwDQYJKoZIhvcNAQEN
BQAwgagxFTATBgoJkiaJk/IsZAEZFgVsb2NhbDEbMBkGCgmSJomT8ixkARkWC2lt
YWdlbWFzdGVyMRMwEQYKCZImiZPyLGQBGRYDcGtpMRQwEgYDVQQKDAtJbWFnZU1h
c3RlcjEoMCYGA1UECwwfQ2VudHJhbCBEZXZlbG9wbWVudCBFbnZpcm9ubWVudDEd
MBsGA1UEAwwUU09TLVBLSSBTaWduaW5nIENBIDEwHhcNMjIwNzAxMTcwNTAwWhcN
MjMwNTMxMDEwNTAwWjAeMRwwGgYDVQQDExMqLmltYWdlbWFzdGVyLmxvY2FsMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz6DwNzAkxkWxqGilNf3KTEvh
RaH+4A/A1W7nkNtPV7CtDMq2i+wBL++UYeWapcGhNpJa++efh1ZCkTrc8NiEdc+H
bLE4pfcoLlI57Ol9IL+HMyb99EOI1p9TjP5yjJYb/cBif5FhDHfR6gkHaMt8I7jl
uR4OToyGkne7O9C5alkEqKHkgrybZ3XmlRm9LP/g2OsifsdQ19jNz1WbUk66miaq
lJuv0aQI3wk8KI2pjHvE7UJK5HqDfJwVKh63mxv81M+vyTnx07Q7wUaY+OVvGRJK
b3Lj53N3fZ3uDmJcP8s0N6fznHRQAGSxC33VmZwEAk/nfnhM/LpJtBRFfHSGRQID
AQABo4G4MIG1MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUvKTrdBlk7KO6zDZ1N7mM
rG31xFowHwYDVR0jBBgwFoAUOO9mRZrjwPfcLCAO0jHye4ATbOwwNgYDVR0RBC8w
LYITKi5pbWFnZW1hc3Rlci5sb2NhbIIGdGFyZ2V0ggNpbWGCCWxvY2FsaG9zdDAN
BgkqhkiG9w0BAQ0FAAOCAgEAF4QHiDemiv4BGNQ0oQU0xC+QPZlJ4KAG2x8iCaek
5nduDeGzckzaIB69l5jbTuu9s4aTUKgCxKX8vhnRt8t94q3WMME2sWCLIpO5zvcz
HKAEJnZu4VgEShO3KxrXJv/Mghyg5Y0Hr2tX3BQRTri6qULh9W/7FLTA6CMH29xK
QWojhpUrCvVkwUkvc0pCz1gKh3w8Zs/4SQJNfFj5PvV+isD1Pj4un7QYm4nV3VYA
tdQIhkTalq0n7v8Ou4a+GJ71s1Hf1U+JT51iRBl4yE1qXDpwfjE3hAGFm5Q5o6FP
SF9Yolarf1xVTQpnB6TrLyBleZZsGRTCT+uetOMks3zx59xNewKV+FjOlw55H5KY
YjmlveOw9FYqyGxwvQ6dFhcuC0LCkQf5lU6NkFYEJ9jzHiRgqu+BdD6SfpJRAujM
bh/U8cCbLy6/WcPZ1nkorUXpYAe7WJd0ef0/y+RvCZP0paGrlxx4APUyoPngwxyQ
5ONexVg5S0sx62CiTEO1KAP/EvTo8stTAZY2BxysriMWdDZ1ZOx/R/wBcMQ+Wzet
k8qCF+y5IbcLMhgISbX3otlL4c5fqberxtZLgg8rMizq9VG2sgWbRVWO4Ajc95Zn
bopBme7l05WfzguraQcqt7UlFvwQ/ATt/JlREMW6uo4MKMHKMgSFVY0iCP1xDhdd
RX8=
-----END CERTIFICATE----</sslCertificate>
         </user>
      </ns:createUser>
   </soap:Body>
</soap:Envelope>

Figure 597: Example SOAP – request to create user with SSL certificate