Skip to content

How to Enable Authentication Between CSEs

For the Mca communication between an AE and a CSE, the CSE supports Basic Authentication and Bearer Token Authentication. These methods are supported for the HTTP and WebSocket bindings. The same authentication methods can be used for the communication between CSEs.

Authenticating to the Registrar CSE

For example, to enable basic authentication to authenticate access to the registrar CSE, one has to set the currect username and password in the acme.ini configuration file of the registrar CSE in the [cse.registrar.security] section, for example

Setting the username and password for http basic authentication with the registrar CSE
[cse.registrar.security]
httpUsername=aUsername
httpPassword=aPassword

The CSE then uses these credentials to authenticate the Mcc communication with the registrar CSE. Of course, the registrar CSE must be configured to accept these credentials. The same applies to the WebSocket binding. A similar configuration can be made for Bearer Token Authentication for the http or WebSocket bindings.

Authenticating Requests from the Registrar CSE

In return it is also possible to provide credentials that the registrar CSE must use for the Mcc communication with this CSE. http and WebSocket requests from the registrar CSE to this registree CSE can be authenticated using the same methods as described above.

The configuration for the CSE is done as well in the [cse.registrar.security] section of the acme.ini configuration file:

Setting the username and password for http basic authentication to be used by the registrar CSE
[cse.registrar.security]
selfHttpUsername=aUsername
selfHttpPassword=aPassword

Currently, only the http and WebSocket bindings support this kind of authentication, and only the basic authentication method is supported.

Note

This method adds the credentials to the URL in the point of access (PoA) attribute of the remote CSR resource.
This is not a secure method and should only be used in a secure and trusted environment.
Also, the implementation of the registrar CSE must support this method of authentication.