Question
Lloyds Banking Group PLC
GB
Last activity: 10 Jul 2019 3:29 EDT
Mutual Auth for services exposed from PEGA
v7.3.1 | WAS 8.5.5
Our PEGA application exposes a number of services to other non-PEGA applications to consume and basic authentication has been used for auth wherein the calling application passes the user identifier and password to the service.
However, our security requirement suggests we would be better of using mutual auth for this and we would like to know if there would be any challenges in achieving this.
My simple understanding of this was -
Store both the client and service provider certificates of both the applications involved in their corresponding servers and enable the "Require TLS/SSL for REST services in this package" setting in the service package.
Guidance from anyone who has done this before would be appreciated.
Pegasystems Inc.
IN
Hi Leelabiram,
Hi Leelabiram,
When you select this check box, all invocations of REST services belonging to this service package must use TLS/SSL, which uses the HTTPS protocol. If REST services are invoked by using HTTP, a code 403 status is returned with a warning.
Thus the service invocation has to be over HTTPS .
Ideally you should have SSL connection implemented on the Pega instance. This require the application server configuration with valid keystore/certificates for the SSl enabling.
Thanks
Abhijit
Lloyds Banking Group PLC
GB
Thank you.
Question:
We don't want to use the user id / password used by basic authentication for the other consumers to connect to our services but want to use mutual auth.
Is this supported?