To authenticate an application (app) using a certificate, you must first generate the client key and certificate files using RSA 2048, RSA 4096, or EC keys.
The following examples uses RSA 2048 and EC key:
Using RSA key:
openssl req -newkey rsa:2048 -nodes -keyout client-key.pem -x509 -days 365 -out client-cert.pemUsing EC key:
openssl ecparam -name secp521r1 -genkey -noout -out private-key.pem openssl ec -in private-key.pem -pubout -out public-key.pem openssl req -new -x509 -key private-key.pem -out cert.pem -days 360
C#
// Create PKCS#12 keystore
$ openssl pkcs12 -export -in client-cert.pem -inkey client-key.pem -name "my-sdkms-app" -out client-sdkms.p12
// Above asks for password to be set. Note this password
// C# code
using System.Security.Cryptography.X509Certificates;
X509Certificate2 certificate = new X509Certificate2("client-sdkms.p12", <pkcs12-keystore-pass>);
Configuration.Default.BasePath = "<Endpoint URL>";
Configuration.Default.Username = "<App UUID>";
Configuration.Default.ApiClient.RestClient.ClientCertificates = new X509CertificateCollection() { certificate };
AuthenticationApi authenticationApi = new AuthenticationApi();
AuthResponse response = authenticationApi.Authorize();
Configuration.Default.AddApiKey("Authorization", response.AccessToken);
Configuration.Default.AddApiKeyPrefix("Authorization", "Bearer");Go
certFile := "client-crt.pem"
keyFile := "client-key.pem"
cert, err := tls.LoadX509KeyPair(*certFile, *keyFile)
caCertPool := x509.NewCertPool()
tlsConfig := &tls.Config{
Certificates: []tls.Certificate{cert},
RootCAs: caCertPool,
}
transport := &http.Transport{TLSClientConfig: tlsConfig}
http_client := &http.Client{Transport: transport}
ctx := context.Background()
client := sdkms.Client{
Endpoint: "",
HTTPClient: &http_client,
}
_, err := client. AuthenticateWithUserPass(ctx, <App UUID>, "")
Java
The client certificate and client private key must be supplied in a PKCS#12 keystore.
// Create PKCS#12 keystore
$ openssl pkcs12 -export -in client-cert.pem -inkey client-key.pem -name "my-sdkms-app" -out client-sdkms.p12
// Set the keystore in Java program
System.setProperty("javax.net.ssl.keyStoreType", "pkcs12");
System.setProperty("javax.net.ssl.keyStore", </path/to/client-sdkms.p12>);
System.setProperty("javax.net.ssl.keyStorePassword", <password of the PKCS#12 archive>);
ApiClient apiClient = new ApiClient();
apiClient.setBasePath(<Endpoint URL>);
apiClient.setUsername(<App UUID>);
AuthenticationApi authenticationApi = new AuthenticationApi(apiClient);
AuthResponse authResponse = authenticationApi.authorize();
ApiKeyAuth bearerTokenAuth = (ApiKeyAuth) apiClient.getAuthentication("bearerToken");
bearerTokenAuth.setApiKey(authResponse.getAccessToken());
bearerTokenAuth.setApiKeyPrefix("Bearer");Python
config = sdkms.v1.Configuration()
config.host = "<Endpoint URL>"
config.username = <App UUID>
config.cert_file = <client-cert.pem>
config.key_file = <client-key.pem>
client = sdkms.v1.ApiClient(configuration=config)
auth_instance = sdkms.v1.AuthenticationApi(api_client=client)
auth = auth_instance.authorize()
config.api_key['Authorization'] = auth.access_token
config.api_key_prefix['Authorization'] = 'Bearer'
REST API using curl
$ curl <Endpoint URL>/sys/v1/session/auth -X POST -u <App UUID>: --cert <client-cert.pem> --key <client-key.pem>
> {"token_type":"Bearer","expires_in":600,"access_token":"YhXwwa- 6C...L9kRxswmPZkEFQ2ig5g","entity_id":"7916b324-33a1-4a06-8778-59ec0492bb10"}
#if prompts for password, just press enter
#use the "access_token" as Bearer Auth in other API requests. E.g:
$ curl <Endpoint URL>/other_apis -H 'Authorization: Bearer YhXwwa- 6C...L9kRxswmPZkEFQ2ig5g ' --cert <client-cert.pem> --key <client-key.pem> ...TIP
The user’s password, API key, or client certificate private key will grant access to all the keys and methods that the user or application has access to. You should protect these like other sensitive information and not store these in the scripts.