Client Certificates on Linux
If your mappings include Web service authentication through HTTPS by means of client certificates, follow these steps to deploy such mappings to a Linux machine running MapForce Server:
1.Open the mapping which calls the Web service.
2.Double-click the header of the Web Service component. The Component Settings dialog box appears.
3.Click Edit next to HTTP Security Settings.
4.In the HTTP Security Settings dialog box, click Client Certificate, and then select the required certificate from the Current User\Personal store on Windows (see Setting HTTP Security).
5.Save the mapping and compile it to a mapping execution file or deploy it to FlowForce Server (see Compiling Mappings to Server Execution Files and Deploying Mappings to FlowForce Server).
6.Transfer the client certificate required by the Web service call to the target operating system. Make sure that the certificate has a private key, and that the Enhanced Key Usage property of the certificate includes "Client authentication" as purpose.
To transfer the client certificate to Linux:
1.Export the client certificate with private key from Windows, in the Personal Information Exchange - PKCS #12 (.pfx) file format (see Exporting Certificates from Windows).
2.Copy the certificate file to the Linux machine.
3.Convert the .pfx file to .pem format using the command:
openssl pkcs12 -in cert.pfx -out "John Doe.pem" -nodes |
This command parses the .pfx file and outputs a .pem file, without encrypting the private key. Certificates with an encrypted private key prompt for password and are not supported in server execution.
Executing the mapping
To instruct MapForce Server to use the .pem file as client certificate, set the --certificatespath parameter when running the mapping. The --certificatespath parameter defines the path of the directory where all certificates required by the current mapping are stored. For example, if the certificate file path is /home/John/John Doe.pem, then --certificatespath must be set to /home/John.
By default, if the --certificatespath parameter is not provided, MapForce Server looks for certificates in the directory $HOME/.config/altova/certificates of the current user.
For the mapping to execute successfully, the certificate file is expected to have the .pem extension and the file name must match the Common Name (CN) of the certificate, including spaces (for example, John Doe.pem). If the CN contains a forward slash ( / ), it must be replaced with an underscore ( _ ) character. |
If you intend to execute the mapping as a FlowForce Server job, copy the certificate file to the $HOME/.config/altova/certificates directory. When running the job, FlowForce Server will use this directory to look for any certificate files required by the mapping.
For security considerations, make sure that certificate files are not readable by other users, since they contain sensitive information. |