Hi Michel,

First of all, sorry for the late reply!

For this, you would normally need to set the HTTP Security property of the Exposed service to SSL/TLS with Client Certificates. If you set the HTTP Security property - which is only available in Traditional Web Applications - to this value and publish the module, the platform will configure the SSL settings for that specific module in IIS to Accept client certificates.

Now the problem is, that Service Studio does not have the SSL/TLS with Client Certificates as an option to choose from in the HTTP Security property for an Exposed REST API. This documentation on Secure HTTP Requests states the following:

• SSL/TLS with client certificates: The HTTPS protocol is used in requests and client certificates are required. This option is not applicable to REST APIs and is not supported for OutSystems Cloud.

This would not necessarily mean that it is not possible to secure REST APIs with client certificates, but at least it is not a supported case for OutSystems Cloud.

Personally, I have only used this option to secure an Exposed SOAP service with client certificates but this was done on an On-Premises infrastructure. You should be able to do the same for OutSystems Cloud, but then again I do not know if that is even an option you want to consider.

I hope the above information was useful to you in a way.

Regards,

Nordin

Hi Nordin,

You did quote the correct documentation, but I'm afraid you misinterpreted it.

"This option is not applicable to REST APIs and is not supported for OutSystems Cloud" is an "AND".

So, it means:
1. This option is not applicable to REST APIs

AND

2. This option is not supported for OutSystems Cloud (this statement is valid for both REST and SOAP!)

Best,

Joao

Hi Joao,

Thanks for providing some clarification on that point. That was indeed not clear to me at first glance.

Regards,

Nordin

Hi Joao, Nordin,

Thanks for your replies. I was afraid that these would be your answers. Technically, it is just a matter of configuring the SSL settings to accept Client Certificates, so it is a pity that it is not supported by OutSystems. Especially, since the reverse use-case (consuming a rest-api with client certificates) is supported.

So basically we are stuck and are forced to use basic authentication or Oauth2.

Thanks,

Michel

Hi all,

Got an answer from OS which I also wanted to share here. It seems it's bound to a limitation in AWS where some information can be found here:

https://stackoverflow.com/questions/21245852/support-for-two-way-tls-https-with-elb

So I will request to add this to the information page so at least the why is also told.

Kind regards,

Evert

Hi,

To avoid any misunderstanding for whoever bumps into this thread...

The root cause is indeed the one you described, Evert, but keep in mind that the OutSystems Cloud now uses Application Load Balancers rather than Elastic Load Balancers. The limitation applies to both.

Best regards,

Joao

João,

Thanks for the clearification, I've send feedback to the documentation page to update it there so the information is mentioned in the right spot:

https://success.outsystems.com/Documentation/11/Developing_an_Application/Secure_the_Application/Secure_HTTP_Requests

Kind regards,
Evert

Maybe I misunderstood, but assuming your suggestion was to explain the root cause of the limitation in the Technical Documentation, I don't think that that would be a good idea. 

Technical Documentation is about stating what can be done or not, and how to do what you actually can do.

Additional content like this would make the documentation harder to consume, in my perspective. E.g. not all readers will know what an AWS ALB is.

But I'm curious about your views on that.

Hi João, Michel & Evert,

I tend to agree with Michel here.

To me, the technical documentation was not clear enough in stating that: "This option is not applicable to REST APIs and is not supported for OutSystems Cloud".

It leads to think that there might be some kind of workaround possible as stating that “the option is not applicable to REST APIs”, meant to me - without knowing the why - that we simply do not have the SSL/TLS with Client Certificates option available to choose from in the HTTP Security property of REST APIs in Service Studio.

This is where I thought (and I think Michel & Evert did too) that maybe we could manually set the SSL settings in IIS to Accept client certificates for that specific module from where we expose the REST API.

Only after João provided the actual why it would still not work because of the AWS ALB, it became clear that this is not directly an OutSystems platform limitation, but more indirectly since in this case the OutSystems platform runs on AWS which has its own technical limitations.

So I think we just need to make it more clear in the technical documentation that it is not possible to secure REST APIs with client certificates in general and it is not possible at all to secure anything (Web Flows/Webscreens/SOAP/REST) with client certificates for OutSystems Cloud.

Regards,

Nordin

Hi Michel Coudron, 

Given the limitations as discussed above, I would recommend to put an API management solution in front of OutSystems, like Azure API Management or Amazon API Gateway. This is quite easy to do and often not expensive at all. The API Management will then handle the authentication, as a bonus you’ll get a ton of extra features relevant for exposed API’s that are relatively easy to configure, like monitoring, logging, trotting, etc. 

you would then still have to protect the traffic between the API management solution and OutSystems. Quite often they have static ip addresses. So you could use a combination of an ip adres filter, which you will have to model yourself in OutSystems, https and using some sort of username/password, token or key.

good luck! 

Regards,

Kilian