Ahmed.Shendy (RSA) asked a question.
Custom Client Certificate for AFX connectors
In AFX Rest Connectors ( as diffrent from SOAP Connectors ) - there isn't the ability to use Custom Client Certificate when needed .
We know that we can use the internal certificate ( inside afx client.keystore ) as a partial solution - but because this certificate is a self-signed certificate This is not always a possible solution .So , I need some clarification About :
1 ) Is there an intention to add such support in future versions of the product?
2 ) What Abount The Generic Rest Collector ? I didn't see this feature here either - so again Is there an intention to add support to Two-Way SSL (Mutual Authentication) in future versions ?
This is not a limitation of the Generic REST Connector only. None of the Connectors or Collectors currently support client authenticated SSL. There is no technical limitation that would prevent RSA from adding support but we need customers to express a concreate business need for this.
If there is sufficient interest a product enhancement can be created.
For other Connectors and Collectors the endpoint is implied in the name but for REST API RSA needs to know the specific vendor endpoint that either supports or requires authenticated SSL connections. Some context as to why this is desirable would help prioritize the request.
There is certainly a need for that. Had several projects where we were required to support client certificates for authentication and could not provide that out of the box.
Here are two examples for vendor endpoints:
Can you elaborate on what you mean by "required". Do these endpoints only support client authenticated SSL, or optionally? Was the requirement part of the clients requirements or mandated by the API itself?
Was this for both collectors and connectors? What type of collectors and collectors were these (Generic REST?)
Regardless I think RSA should consider this feature as it would be useful. My concern is that setting up and maintaining the all the certificates required for this would be onerous. We already have a centralized repository for trusted SSL certificates but this feature would have to be extended to track all the certificates for all the endpoints.
When you envision setting this up for one Connector it seems simple, but imagine you have 20 different Connectors and Collectors with different client certificates expiring every 12-36 months. I think customers would also expect assistance in enrolling for certificates and this is even more complicated.
Any news on this one?
To answer some of the questions you raised before:
We see the gap mostly for the AFX REST Connector.
Customers seems to "standardize" internally on how they want their inter-applications comms to work, and most of the ones we encountered decided on using Client certificates for authentication. Some are running "hundreds of integrations" using this method, and the fact we don't provide this capability inhibits the use of the REST connector.