[Factory Configuration] Require Client Certificate system.webServer/security/access SslRequireCert
Web icon
Forge component by Stoyan Garbatov
Application Type
Traditional Web


My current challenge is to place an API Gateway in front of a set of exposed REST APIs. The exposed REST APIs should only serve resources when the requests originate from the API Gateway and otherwise return a 403 status code.

Most API Gatways are able to send a client certificate with their request to upstream - OS REST APIs in this case - services where the thumbprint of the certificate is then validated at the service. I tried to implement and configure this approach in OutSystems, but as of now without success. What i have done so far.

I created an extension to get the Client Certificate from the current request. This is the code

The action is intended to run in the OnAuthentication handler of my exposed REST APIs.

Since a Client Certificate is only available when requested by the server i also made a factory configuration with the following settings.

From my understanding this XSL should modify the <access> elements sslFlags attribute adding SslRequireCert to require a client certificate.

I assigned this configuration to my service module and republished the application.

Unfortunately the client certificate is still not required. It looks like the access element is not evaluated. Could also be that the access section has a no override flag set?

I assume that the XSL is working fine as at least the additional custom header is returned.

Has anyone experience with requiring a client certificate in OutSystems and can give me a hint?

Thank you,


Hi Stefan,

Just ruling out a basic problem... are the clients accessing the REST APIs directly on the OutSystems server address? No other network element in the middle, such as a load balancer?

Hi Joao,

Thank you for your reply.

iam using our development environment which has a single frontend server (OutSystems Cloud managed). 

So the client (in this case AWS API Gateway) communicates directly with the frontend server without any other service in between.

I guess the core issue is that the web.config transformation is not respected. If it would respect the SslRequireCert sslFlag the service should not return any data. For now it returns data, which should not be the case without a client certificate ?


Humm.. inbound traffic to the OutSystems Cloud should go through the Load Balancer and not directly to the server.
And the Load Balancer does not require Client Certificates.

I see. But if the frontend server is set to require a client certificate it should decline the forwarded request, which is not the case. At least not with the configuration i did above.

Lets leave the API Gateway for a moment.

If i query the endpoint directly (frontend server) with postman it should (if SslRequireCert would be respected) decline the request. For now it returns data normally

Ah. I have some news. I modified my XSL transform to overwrite the <access> element

which now gives me an error when publishing the application.

So i guess that my assumption is correct that the access section is set to non-override in the application host configuration. Can you confirm that? Any thoughts how to achieve the goal of requiring a client certificate for an exposed REST API endpoint? or is that out-of-scope and not supported at all?

Hi @Stefan Weber ,


Are you manage to solve this by anychance or any support from OS?

No. Unfortunately not. Did not receive an update on the topic.

Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.