Two-way HTTPS Mutual Certificate Authentication through Relay Server or Reverse Proxy

  1. The remote client establish two-way HTTPS connection with relay server/reverse proxy by providing its own client certificate. If the client certificate is not trusted by relay server/reverse proxy, the connection could not be established.
  2. After connection established, the remote client sends request to the relay server/reverse proxy.
  3. The relay server/reverse proxy forwards the client request to SAP Mobile Platform through the connection established with its own certificate, and the remote client certificate is added to the forwarded client request as the SSL_CLIENT_CERT http header.
  4. SAP Mobile Platform will determine the security configuration for the request.
  5. SAP Mobile Platform authenticates the relay server/reverse proxy's certificate, and ensure it has "SUP Impersonator" role. If the relay server/reverse proxy's certificate is not mapped to "SUP Impersonator" role on the security configuration, 403 error will be returned to remote client.
  6. SAP Mobile Platform retrieves the remote client certificate from the SSL_CLIENT_CERT HTTP header, and passes to the security configuration to perform authentication.
  7. If authentication succeeds, SAP Mobile Platform dispatches the client request to corresponding service handler.
  8. For proxy service, proxy forwards client request to backend/gateway server by establishing the HTTPS connection with the remote client certificate.
Parent topic: REST API Application Authentication