Certificate-based Authentication Queries


Details

Q: Is it possible to set Certificate-based authentication per individual API on an instance?

A: No, this is currently not possible. It's either for All APIs or for none.

Q: Can you please confirm if certification-based authentication will only affect accounts (or endpoints ) using "REST API access policies":
REST API access policies

A: Once certification-based authentication is enabled, it affects/controls only the user's authentication and has no link to control any specific API. APIs access is controlled based on granted roles to the user and via respective ACLs.

 

Additional Information

The scope of Certificate-based Authentication is to control a user's authentication into the instance either via UI or via Web Services. Post successful authentication, the user can access the APIs based on assigned roles.

As we understand that user to certificate mappings are stored in the sys_user_certificate table and all Root & Intermediate CA certificates are stored in the sys_ca_certificate table. Users can also add their client certificates from their user profile provided the related root CA or CA intermediate certificate already exists in the sys_ca_certificate table.