ClearPath Forward Management Web Services Security Model
The client software that integrates programmatically with the ClearPath Forward Management Web Services (FMWS) through its Application Programming Interface (API), must be authenticated for each individual request. The authentication is achieved using the Hypertext Transfer Protocol (HTTP) basic authentication and mutual authentication (two-way authentication) using certificates. The communications protocol between the client and FMWS is Hypertext Transfer Protocol Secure (HTTPS) using Secure Sockets Layer (SSL) encryption. This is supported by two-way certificates for the Fabric Manager user interface and client software sides of communication. To configure the Fabric Manager server to accept requests from a client machine or application, the following information is required:
The client’s DNS server
Any certificates from Certificate Authorities that were used in generating client certificates
Authentication
The Base64–encoded string that contains a user name and password needs to be sent in the “Authorization” HTTP header.
Mutual Authentication
Mutual authentication or two-way authentication (sometimes written as 2WAY authentication) refers to two parties authenticating each other at the same time. When mutual authentication using certificates is used, the server requests the client to provide a certificate in addition to the server certificate issued to the client.
Adding Certificate Authorities for Mutual Authentication
The Fabric Manager administrator should import the Certificate Authority (CA) certificates to be trusted into the server trust store. Refer to the following instructions to do this process:
Launch a virtual console from the Fabric Management Platform console and log in as root.
Copy the CA certificates from the Fabric Management Platform to the following directory:
/usr/local/ffm/jetty/etc
Import each of the root and intermediate CA certificates to the Java keystore by entering the following command.
Note: Angular brackets (< >) are used to represent variable data. Do not include them in the following command.
# keytool -import -trustcacerts -alias <alias_name> -file <certificate_name> -keystore ffm_fmws_keystore.jks
where <alias_name> is the name used to differentiate between two certificates (for example, fmws, CHRFWD, FwdInt, etc.) and <certificate_name> is the name of the certificate file (for example, localhost.cer, keystore.crt, or ffm_fmws.pfx).
Note: Repeat this step for all of the intermediate CA certificates for the primary certificate.
The Fabric Manager services have to be restarted after all the CA certificates are imported. Enter the following command to restart the Fabric Manager services:
# rcffmservices restart
The Fabric Manager services are restarted.