Access to REST services using two-way TLS


For web service access, we use two-way TLS for client authentication and access control. Two-way TLS is a protocol that is suitable for secure business to business authentication. In short, Two-way TLS is an extension of regular TLS, where the client also identifies itself using a client certificate. Early versions of TLS were named SSL.​

A quick overview of two-way TLS is available on Wikipedia .​

In addition, a number of tutorials are available at sites like Stackoverflow​ .

Trusting the certificates

For an application to be able to communicate over two-way TLS, two certificate chains must be supported.

Server certificate chain

The first is the server certificate chain. For server certificates, the E-Archive web domain is configured with a standard supported certificate vendor. Current certificates are of the VeriSign and Digicert varieties.

These are issues by CA's (certificate authorities) whose root certificates are in most Trust Stores. To ensure support, the application framework (e.g. Java, .Net) should be kept up to date, and the builtin trust store should be enabled. If this is not possible, the root CA certificates can be added to a specific trust store manually, but this is not a recommended solution. The server certificates should never be added to a trust store, as they are routinely replaced.

Client certificate chain 

For client certificates, certificates issued by a private CA are used. These are currently of the type Eurida Connect, but this is subject to change. See Client certificate for further details.

Protocol versions

TLS 1.2 is required for communication with E-Archive. 1.0 and 1.1 currently works, but this is temporary and unsupported.