Authentication by Client Certificate

Note: As a precondition, an HTTPS listener must be defined in the configuration file ./etc/hub.xml.

The protocols HTTPS, AS2 over HTTPS and OFTP2.0 over TLS use the SSL or TLS protocol on the transport layer to establish a secure channel through encryption. Usernames and passwords sent within this channel are much better protected against an interception than they would be if sent via a 'clear text' channel (e.g. HTTP). However, this security may not be sufficient for a communication partner and he might, therefore, either in addition to or instead of the password, require the client to be identified with a certificate. This certificate is called a client certificate because it proves the identity of the client, not the server, or the service. It is a local certificate on the client side. This means that only the client can access the private key.

Lobster_data supports client certificates for HTTPS, AS2 and OFTP if the communication partner requests an authentication with a client certificate. You can also request that the partner needs to log on with its client certificate. See section Local Certificates.

A special case is OFTP via TLS. The specification demands a mutual identification of the partners via a certificate. This certificate is thus server and client certificate simultaneously, depending on the direction of the connection setup. For outbound connections, it is the client certificate.

For all outgoing connections of the protocols AS2 via HTTPS, OFTP via TLS and HTTPS, the client certificate used is the local certificate assigned to the partner channel. So it is the same certificate that is used to sign messages/files. With AS2, separate certificates can be used for encryption and signing.

An authentication by client certificate is only possible through a partner channel. A Response Route without a partner channel cannot be used for this.