Settings in Cloud Container

Users

You can use the Users screen to create and manage administrators and other users. A User has a login identity, password, email address, and other descriptive attributes.

From the main Users screen, you can search for users, create a new user, delete an existing user, update existing user information, and reset the user password. If you have the User Management permission under Settings > Access Profiles > Administrative Permissions > User and Ownership Controls, you can either edit or delete users.

Note: You cannot delete your own user profile. If a user is deleted, then the user cannot be recovered and all assets created or modified by the user will appear in the Created By and Modified By columns as Unknown User{first two characters of the first name and last name}.

Click Reset Password to reset the user’s password. As soon as the password is reset, two different emails will be sent to the email address you provided during registration. One email will contain the user ID and the other email will contain the temporary password. Use the temporary password to log in. You will be asked to change your password.

Users who have the required access privileges under Settings > Access Profiles > Administrative Permissions > User and Ownership Controls can edit user information.

Adding Users

Note: A new user is created in webMethods Cloud Container when you log in for the first time using the Software AG Cloud login page with valid credentials. Roles associated with the user will be synchronized only during the first-time login to webMethods Cloud Container.

You can delete users from the Users page in webMethods Cloud Container. If you have created Users U1, U2, and U3 in Software AG Cloud, the first time U1 logs in to webMethods Cloud Container, user U1 will be created in webMethods Cloud Container. Now if U1 is deleted from Software AG Cloud but still exists in webMethods Cloud Container, U1 will not be able to log in to webMethods Cloud Container. If U1 is deleted from webMethods Cloud Container but still exists in Software AG Cloud, U1 will be created in webMethods Cloud Container when you again log in to webMethods Cloud Container.

If you have not created your account using the Software AG Cloud sign-up page, you can add users in webMethods Cloud Container.

To add a user if you have not created your account using the Software AG Cloud sign-up page

From the webMethods Cloud Container navigation bar, go to Settings > Users.
From the upper right part of the Users screen, click Add New User.

On the Basic tab, complete the following fields. Required fields are marked with an asterisk on the screen.

Field	Description
First name	User’s first name as it should appear in the platform.
Last name	User’s last name as it should appear in the platform.
Title	User’s professional title.
Access Profile	The access profile assigned to the User. Each User is assigned an access profile, which can be shared by other users. An Access Profile specifies the network locations (IP addresses) from where it is possible to login and administrative permissions. Select one of the following Access Profiles:- - Administrator - Provides permissions needed by the System Administrator. - Regular User - Provides permissions that are more appropriate for normal users. By default, the system administrator can change the Administrative Permissions associated with each Access Profile (except the above mentioned Administrator Access Profile), and can add additional Access Profiles, as needed. Note: By default, the Administrator and Regular User Access Profiles are associated with the Environment Management. If you have created a new Access Profile, ensure that the Access Profile you have created is associated with the Environment Management. See Adding or Updating Access Profiles for more information and for information on API Management Access Profiles and permissions.
Employee Number	Optional identification number for each employee.
Email	Email address of the user. User credentials will be sent to the specified email address. As soon as you add a new user, two different emails will be sent to the email address. One email will contain the user ID and the other email will contain the temporary password. Use the temporary password to log in. You will be asked to change your password.
User Name	User name is a unique name associated with each user and is required to log in. It can be an email address or an alphanumeric text string. Note: If you are a Software AG Cloud user, you will not be able to update the User Name.
Federation ID	Enter the Federation ID if your Identity Provider passes the Federation ID for Single Sign-On. The Federation ID acts as a user’s authentication across multiple IT systems or organizations. A federated identity means linking a person’s electronic identity and attributes stored across multiple distinct identity management systems.

On the Locale tab, complete the following fields:

Field	Description
Time Zone	Choose a Time Zone Code from the drop down list.
Date Format	Choose a Date Format from the drop down list. “mm” is “Month”, “dd” is “Day”, and “yyyy” is Year. Dates and Times are used throughout the platform, in Appointments, as Start/End Dates in Tasks, Expected Close Date, Estimated Start/End Date, Date Due, and so on. Default formats are specified under the Settings > Advanced Information tab. Administrators and Users can change the default selection in the Users screen.
Locale	This setting determines the language in which you will view the application. The value set by you here is the language applicable for your user profile, irrespective of the value set by the administrator in the Default Locale field of Company Information settings. For example, if you set the value in the Locale field as Chinese and the value set by the administrator in the Default Locale field of Company Information settings is English, then you will view all the application labels in the Chinese language.
Time Format	Select a 12-hour clock (hh:mm a) with AM/PM, or a 24-hour clock (HH:mm).

On the Address and Contact tab, complete the following fields:

Field	Description
Phone	Primary phone number for the user.
Mobile Phone	Mobile phone number for the user.
Fax	Fax number for the user.
Street Address	Street address for the user.
City	City for the user.
State/Province	State or province for the user.
Postal/Zip Code	Postal or ZIP Code for the user.
Country	Country for the user.

Click Add if you are adding a User or Apply if you are editing any User information.

You can fill the Address and Contact section later or the Administrator can fill the details by editing the record after the User has been added. The Address and Contact screen is also available under > My Profile > My Information tab.

Note: A User can log in, and then go to > My Profile > Edit to change the user details. The Administrator who created the User can also edit the User details.

Updating Users

To edit or update the user information

Note: If you have created your account using the Software AG Cloud sign-up page, that is, if you are a Software AG Cloud tenant, you can perform certain user management tasks like adding users, updating users, and resetting passwords only from the Software AG Cloud User Administration page.

From the webMethods Cloud Container navigation bar, click Settings > Users.
Select a user from the list, and then click Edit.

Make necessary modifications. See Adding Users for information on the relevant fields. You can also enter or update the following information on the Address and Contact tab. Required fields are marked with an asterisk on the screen.

Note: If you are a Software AG Cloud user, you will not be able to update the User Name.

Field	Description
Phone	Primary phone number for the user.
Mobile Phone	Mobile phone number for the user.
Fax	Fax number for the user.
Street Address	Street address for the user.
City	City for the user.
State/Province	State or province for the user.
Postal/Zip Code	Postal or ZIP Code for the user.
Country	Country for the user.

Click Apply.

The default initial information comes from the > Company Information page, but you can modify it here.

Note: A user can log in and then go to > My Profile to change the user details. The administrator who created the user can also edit the user details.

Note: If you have the User Management permission under Settings > Access Profiles > Administrative Permissions > User and Ownership Controls, you can either update or delete users. You cannot delete your own user profile. If a user is deleted, then the user cannot be recovered and all assets created or modified by the user will appear in the Created By and Modified By columns as Unknown User{first two characters of the first name and last name}.

User Profile

If you are on the My Information page > My Profile > My Information, the page provides profile information for the logged in user for the webMethods Cloud Container instance.

If you are on any user profile page, (Settings > Users > Click on the User Name link), the page provides profile information for the selected user for the webMethods Cloud Container instance.

You can view the Basic, Locale, and the Address and Contact information.

Click Edit to update the information.

Resetting Passwords

Note: This page is not applicable if you have created your account using the Software AG Cloud sign-up page.

Note: If you have created your account using the Software AG Cloud sign-up page, that is, if you are a Software AG Cloud tenant, you can perform certain user management tasks like adding users, updating users, and resetting passwords only from the Software AG Cloud User Administration page.

To reset a user’s password if you have not created your account using the Software AG Cloud sign-up page

From the webMethods Cloud Container navigation bar, go to Settings > Users.
For the user whose password is to be reset, select the user and click Reset Password.

webMethods Cloud Container sends two different emails to the email address you provided during registration. One email will contain the user ID and the other email will contain the temporary password. Use the temporary password to log in. You will be asked to change your password.

Note: A User can log in, and then go to My Profile to change the user details. The administrator who created the User can also edit the User details.

Security Question

Note: This page is not applicable if you have created your account using the Software AG Cloud sign-up page.

To update the Security Question and Answer

From the webMethods Cloud Container navigation bar, go to > My Profile > Security Question.
Select a Security Question and type a Security Answer. You can change the Security Question associated with your Account Login/Password.
Click Submit.

Note: The User name and Email address can differ, depending on the settings specified in the > My Profile > My Information page.

Change Password

Note: This page is not applicable if you have created your account using the Software AG Cloud sign-up page.

To change your password

From the webMethods Cloud Container navigation bar, go to > My Profile > Change Password.
Type your current password in the Old Password field, your new password in the New Password field, and again retype your new password in the Retype New Password field.
Click Submit. You will receive a confirmation email about your changed password.

My Certificate

webMethods Cloud Container allows you to store client certificates and associate a certificate with a user account. When a client presents one of these certificates, webMethods Cloud Container logs in the client, as the user mapped to the certificate. You can view the client certificate for the logged in user on the My Certificate page.

To view the certificate

From the webMethods Cloud Container navigation bar, click > My Profile > My Certificate.
If a certificate is configured for the user, the View Certificate panel displays the configured certificate. You can click Download to download the user certificate or click Delete to delete the user certificate. The downloaded file is named as .crt.
In the Upload New Certificate field, click Browse to upload a new client certificate signed by a trusted Certificate Authority (CA).
In the Generate Private Key and Certificate field, click Generate if you want webMethods Cloud Container to generate a private key and a new Cloud signed client certificate. webMethods Cloud validates it against the issuer of the certificate. The generated certificate is named as .txt.

Capability

The Capability ( > Licensing) page allows you to view the status of some of the system capabilities, based on your license offering.

You can view the details of the following capabilities in webMethods Cloud Container:

Field	Description
Max allowed cores	Maximum number of CPU cores allowed across all active solutions and all environments for the tenant. You will not be able to create additional solutions if you exceed this capability.
Max allowed memory	Maximum memory capacity allowed across all active solutions and all environments for the tenant. You will not be able to create additional solutions if you exceed this capability.
Trial account	If Yes, then the account is a trial account.

Note: webMethods Cloud Container supports Transaction-based pricing. A transaction is the execution of a top-level service or API call. When you sign-up for webMethods Cloud Container, you are requested to provide a unique enivronment name. Generated data is collected against the environment name and sent to the Metering server where the data is aggregated. Click here for more information on Metering.

Access Profiles

An Access Profile specifies a collection of permissions that can be applied to multiple users. Each user is assigned an Access Profile, which can be shared by other users.

Users who have the required access privileges under Settings > Access Profiles > Administrative Permissions > User and Ownership Controls can edit the Access Profiles information.

An Access Profile specifies:

The network locations (IP addresses) from where it is possible to login.
Administrative permissions.
Container user groups
The default Access Profiles are:
- Administrator, which provides permissions needed by the System Administrator.
- Regular User, which provides permissions that are more appropriate for normal users.

Note: The webMethods Cloud Container User role in Software AG Cloud maps to the Regular User access profile in webMethods Cloud Container. Users assigned to the webMethods Cloud Container User role have limited permissions that are more appropriate for normal users.

By default, the system administrator can change the Administrative Permissions associated with each Access Profile and can add additional Access Profiles, as needed.

To edit an existing Access Profile, select the profile and click Edit. To delete an Access Profile, select the profile and click Delete. You will not be able to delete an Access Profile if it is used by a user. To create a new Access Profile, click Add New Access Profile.

Note: The Access Profile ID is needed while configuring Single Sign-On (SSO). You have to provide the ID while configuring the Identity Provider (IDP), if you want to create a user. The newly created user will be associated with the Access Profile represented by the ID sent by the IDP in the SAML Response. The name of the SAML attribute that designates the user’s access profile must contain the ID of the Access Profile.

Adding or Updating Access Profiles

Use the Access Profiles screen to create or edit profiles assigned to users.

To add or update an Access Profile

From the webMethods Cloud Container navigation bar, go to Settings > Access Profiles.
Click Add New Access Profile to add a custom access profile or click Edit to modify an existing Access Profile.

On the Add New Access Profile > Access Profile Information tab, complete the following fields. Required fields are marked with an asterisk on the screen.

Field	Description
Name	Provide a name for the Access Profile. You can reference the profile by name when assigning it to a user.
Description	Provide a general description for the Access Profile.

On the Login IP Address Restrictions page, complete the following fields:

Field	Description
IP Address Ranges	For extra security, enter ranges of IP addresses from which users are allowed to access the platform. If a user attempts to login from a computer on a network outside of the specified range, access to the platform is denied. Note: A maximum of 25 IP address ranges can be specified. You can add, modify, and delete the entries. Accepted format is xxx.xxx.xxx.xxx - yyy.yyy.yyy.yyy, where xxx and yyy are numbers in the range 0-255 and xxx.xxx.xxx.xxx is less than or equal to yyy.yyy.yyy.yyy. To specify a single IP address, use the same IP address for the start and endpoint of the range: 192.168.1.1 - 192.168.1.1

Field

Description

IP Address Ranges

For extra security, enter ranges of IP addresses from which users are allowed to access the platform. If a user attempts to login from a computer on a network outside of the specified range, access to the platform is denied.
Note: A maximum of 25 IP address ranges can be specified. You can add, modify, and delete the entries. Accepted format is xxx.xxx.xxx.xxx - yyy.yyy.yyy.yyy, where xxx and yyy are numbers in the range 0-255 and xxx.xxx.xxx.xxx is less than or equal to yyy.yyy.yyy.yyy. To specify a single IP address, use the same IP address for the start and endpoint of the range: 192.168.1.1 - 192.168.1.1

When a user attempts to log in, the IP address of the system the request originated from is checked against the configured settings. If the address is in the allowed range, the user can continue the login process. Otherwise, login is denied. Access violations are recorded in the audit log, identifying both the user and the IP address from where the login attempt originated. Login restrictions do not apply to Customer Support logins.

On the Administrative Permissions page, select the operations a user can perform in order to access, view, create, update, upgrade, administer, execute, export, deploy, and delete and to allow the user to customize selected aspects of the platform.

Field	Description
Global Permissions
User and Ownership Controls	User Management - Select this option if you want to add, update, delete users, or assign users to Access Profiles. Access Control - Select this option if you want to allow a user to modify Access Profiles, edit ACLs, specify user application access rights, manage Access Profiles, specify the password policy, create, edit, and delete OAuth 2.0 clients and scopes, and delete OAuth 2.0 tokens. Manage Personal Setup - Select this option if you want to allow a user to modify the personal information, and generate or edit the user’s own certificate.
Account Controls	Manage Company Capabilities - Select this option if you want to allow users to modify the company information. Allow User Interface Access - Select this option if you want to allow users to log in to webMethods Cloud Container and access the user interface. Clear this option if you want to deny users to access the user interface. Further, even if you clear this option, all users can still interact with webMethods Cloud Container using REST interface calls. Note: If the Allow User Interface Access permission is not enabled for a user but if the user is a Partner user, that user will still be able to perform on-premises tasks.
Data Management Controls	Manage Audit Log - Select this option if you want to allow users to view the Audit Log. If this option is enabled, the Audit Log page will be displayed. If not selected, the user will not be able to view the Audit log page. To view the Audit Log screen, from the Cloud navigation bar, click Monitor > Audit Log.
Functional Controls	Select the required options under Assets, Environments, Advanced Security, Solution, and Unit Tests. You must select the required permissions to deploy, execute, administer, create, and delete those functions.

The Solution Permissions page displays the Integration Server User Groups for all the solutions. You can map webMethods Integration Server user groups to an Access Profile. Enter the names of the webMethods Integration Server User Groups separated by a comma, for example, Administrators, Developers, and so on. webMethods Cloud users who are assigned to this Access Profile will then be a part of the webMethods Integration Server user group(s) and can perform tasks allowed for those user groups. If you do not map an Access Profile to a webMethods Integration Server user group, you will not be able to view, edit, or run webMethods Integration Server services in a solution. For information about user groups, see the Managing Users and Groups section in the webMethods Integration Server Administrators Guide.

Note: webMethods Cloud Administrator profiles are automatically assigned to the webMethods Integration Server Administrators User Group.
Click Apply. The new Access Profile appears in the Access Profiles page.
Click on the Access Profile link in the Access Profiles page. In the Associated Users page, you can view the active users associated with the selected Access Profile. In the Associated ACLs page, you can view the Access Control Lists associated with the selected Access Profile.

Updating Company Information

You can view and update the company information and use them across all applications in the platform.

To update the Company Information

From the webMethods Cloud Container navigation bar, go to Settings > Company Information.
Click Edit.

On the Basic tab, complete the following fields. Required fields are marked with an asterisk on the screen.

Field	Description
Tenant ID	This is the unique ID assigned to your organization’s tenancy on the platform. Note: This field cannot be edited and appears in view only mode under the Basic tab.
Sub Domain	This is the unique sub domain that you specified during registration. A sub domain is a domain that is part of a main domain. For example, suppose you are at ABC Company and you decide to use “abc” as your unique sub domain. With that setting, you will access your instance of the platform at `https://abc.container.webmethodscloud.com`. Note: This field cannot be edited and appears in view only mode under the Basic tab.
Company Name	The name of the company. This field accepts only alphanumerics, spaces, and hyphens (-). The company name is automatically populated from the Registration screen.
Street	The street address of the company.
City	The city where the company is located.
State/Province	The state or Province where the company is located. The state or province name is automatically populated from the Registration screen.
Postal/Zip Code	The postal or zip code for the company.
Country	The country where the company is located. The country name is automatically populated from the Registration screen.

On the Advanced Information tab, complete the following fields:

Field	Description
Time Zone	Choose your time zone from the drop down list.
Time Format	Choose a time format from the drop down list. You can choose a 12-hour clock with AM/PM or a 24-hour clock. hh:mm a - 12-hour clock - 3:30 AM, 3:30 PM HH:mm - 24-hour clock - 3:30, 15:30
Date Format	Choose a date format from the drop down list. mm is “Month”, dd is “Day”, yyyy is Year and the delimters are:(/) slash or stroke(-) dash or hyphen(.) period, dot, or full stop.
Default Locale	This setting determines the language for the tenant. Note: Users within a tenant can set their preferred language from the Users > Locale tab. For example, if you set the value here as English and the user for this tenant sets the value as Chinese in the Locale field, then the user will see all the application labels in the Chinese language. For more information, see Adding Users.
Last Modified	This field displays the date and time when the company information record was last updated. This field cannot be edited and appears in view only mode.

Password Policy

Note: This page is not applicable if you have created your account using the Software AG Cloud sign-up page. Password policies are defined in the Software AG Cloud User Administration page.

A Password Policy defines password requirements and login protections. Users who have the Access Control permission under Settings > Access Profiles > Administrative Permissions > User and Ownership Controls can edit the Password Policy information.

You can view the password policies for the webMethods Cloud Container instance in this screen. For more information, see Updating Password Policy Settings.

Click Edit to modify the password policy information.

Updating Password Policy Settings

Note: This page is not applicable if you have created your account using the Software AG Cloud sign-up page. Password policies have to be defined in the Software AG Cloud User Administration page.

You can set password policies for users on the Update Password Policy page.

To update the Password Policy

From the webMethods Cloud Container navigation bar, click Settings > Password Policy.
Click Edit.

On the Update Password Policy page, make the necessary modifications.

Field	Description
Minimum Length	Select the minimum number of characters in the password.
Required Character types	This option defines the level of security for passwords, which can be simple and allow any character combination, or very secure, requiring upper and lower case characters, as well as special characters.
Expires in	Select the number of days the password will remain valid before the user will be prompted to change it. By default, no user is exempt from the Password Policy. You can specify a user to be excluded from the password expiration policy by selecting Never.
Password Never Expires for	Select the users for whom the password will never expire. Only active users appear in the list. You can make an user account active by selecting the Settings > Users > Update User > Basic tab > Active option.
New Password cannot match	The new password cannot match the number of previous passwords.
Minimum Age	Select the number of days that must pass before a user can change passwords.
Session Timeout	Select the length of time the session will remain active without any user activity. The session will end when it reaches the selected timeout. The user will need to log in again.
Account Lockout Threshold	Select the number of login attempts before the account is locked out. The login limit defines the number of failed attempts allowed before a user account is disabled or locked for a specified time. When a user attempts to login and fails (because of an incorrect password), each attempt counts against the login limit. When the login limit is achieved, the account is disabled or locked for a specified time, according to the parameters set in the Account Lockout Duration field. The login limit is defined by the Password Policy.
Account Lockout Duration	Select the length of time that an account is locked out.
Record Information	For audit purposes, the following information is displayed after you save the record: Last Modified By on {date} Created by System.

Click Apply.

Client Certificate

Secure Sockets Layer (SSL) is a means of securing communications over a network so that only the sender and receiver have access to the sensitive data.

In a one-way SSL connection, an anonymous client authenticates the credentials of a server in preparation for setting up a secure transaction. In most cases, the server knows nothing about the client’s identity because verification of its credentials is not required. When desired, the client can be authenticated using basic authentication by providing a username and password. This type of authentication typifies connections where a browser establishes a connection to a server to perform a secure transaction, for example, viewing a savings account, or buying items with a credit card. The client must authenticate the server’s credentials before initiating the transaction, but it is not necessary for the server to authenticate and keep a record of every possible client (browser). This type of connection is typically one where a partner application or resource needs to verify the authenticity of the server without itself needing to be authenticated.

Two-way SSL authentication refers to two parties authenticating each other by verifying the provided digital certificate so that both parties are assured of the others’ identity. It refers to a client (web browser or client application) authenticating itself to a server and the server authenticating itself to the client by verifying the public key certificate or digital certificate issued by the Certificate Authorities (CAs).

webMethods Cloud Container supports two-way SSL for inbound connections. The request for an SSL connection originates from a client. During the SSL handshake process, the entity acting as the SSL server responds to the request for a connection by presenting its SSL credentials (an X.509 certificate) to the requesting client. If those credentials are authenticated by the client, either:

An SSL connection is established and information can be exchanged between the client and server.
The next phase of the authentication process occurs, and the server requests the SSL credentials of the client. If the server verifies those credentials, that is, the client’s identity, an SSL connection is established and information exchange takes place.

Note: When a client or partner application submits a request to webMethods Cloud Container using HTTPS on port 8443, and a two-way SSL connection is established, the client acts as the SSL client and webMethods Cloud Container acts as the SSL server.

The following table provides a high-level roadmap for configuring SSL.

Task	Activities	Notes
Create keys and certificates	Generate a public key/private key pair. Generate a certificate signing request (CSR) and send it to the certificate authority (CA) for signing. Receive validated certificate from the CA.	Two-way SSL connection requires a valid client certificate.
Upload client certificate or generate a certificate	Upload the CA signed client certificate for the user in the Client Certificate page or generate a private key and a new webMethods Cloud Container signed client certificate.	Required for two-way SSL connections.
Connect to webMethods Cloud Container using the client certificate.	Configure the REST client with the private key and certificate. Optionally you can also pass the basic authentication credentials.	webMethods Cloud Container support two-way SSL on port 8443.

Users who have the User Management permission under Settings > Access Profiles > Administrative Permissions > User and Ownership Controls can generate or edit any client certificate. Users who have the Manage Personal Setup permission under Settings > Access Profiles > Administrative Permissions > User and Ownership Controls can generate or edit the user’s own certificate.

See Adding Client Certificates for information on how to add client certificates.

Adding Client Certificates

webMethods Cloud Container allows you to store client certificates and associate a certificate with a user account. You can add client certificates for users on the Client Certificate page. When a client presents one of these certificates, Cloud Container logs in the client, as the user “mapped” to the certificate.

To add a client certificate

From the webMethods Cloud Container navigation bar, click Settings > Client Certificate > Manage Certificate.
In the Client certificate type, select Tenant level or User level option.
Tenant level certificate enables you to configure the organization level certificate, such that traffic coming for execution can be authenticated against the tenant certificate. For user level, User certificate is the certificate associated with a unique user in the tenant eco-system which can identify the user for authentication purposes.
In the User field, select a user. Only active users are listed in the User field.
In the Upload New Certificate field, click Browse to upload a new client certificate signed by a trusted certificate authority (CA). If a certificate is configured for a user, the Certificate Details panel displays the configured certificate. You can click Download to download the user certificate or click Delete to delete the user certificate. The downloaded file is named as .crt.
In the Generate Private Key and Certificate field, click Generate if you want webMethods Cloud Container to generate a private key and a new webMethods Cloud-signed client certificate. webMethods Cloud Container validates it against the issuer of the certificate. The generated certificate is named as .txt which contains the private key and the client certificate.

Configuring Authentication Settings

webMethods Cloud Container allows you to precisely define security and authentication for API execution as well as messaging.

To configure security and authentication for API execution and Messaging

From the webMethods Cloud Container navigation bar, click Settings > Client Certificate > Authentication Settings.
Select the following two-way SSL security modes while configuring an SSL connection and click Save.

Modes	Description
Allow one-way and two-way SSL API execution calls (Credentials or Certificate)	Allows both one-way and two-way SSL API execution. With two-way SSL, If you have provided both credentials and certificate, the credentials are validated against the user and the certificate is verified but not validated against the user or tenant certificate. If you have provided only the certificate, the certificate is verified and validated against the user certificate.
Allow one-way and two-way SSL API execution calls	With two-way SSL, If you have provided both credentials and certificate, the credentials are validated against the user, and the certificate is verified against the user or tenant certificate. If you have provided only the certificate, the certificate is verified and validated against the user certificate.
Allow only two-way SSL API execution calls	With two-way SSL, If you have provided both credentials and certificate, the credentials are validated against the user, and the certificate is verified against the user or tenant certificate. If you have provided only the certificate, the certificate is verified and validated against the user certificate.

Executing Services using Two-way SSL

Summary

Two-way SSL authentication, also referred to as client or mutual authentication or certificate-based authentication, refers to two parties authenticating each other by verifying the provided digital certificate, so that both the parties are assured of the other’s Identity.

Two-way SSL authentication involves the following steps:

Client (Postman, SoapUI) requests access to protected resources of server (webMethods Cloud Container).
Server presents its certificate to the client.
Client validates the server’s certificate.
Client sends its certificate to the server.
Server verifies the client’s certificate.
If successful, the server grants access to the protected resources requested by the client.

In this tutorial, we will create a solution in webMethods Cloud Container, expose the services over HTTP (exposing the service over HTTP allows the services to be executed from an outside environment), and then execute the services using two-way SSL authentication by using a REST Client (Postman). You can also use the same technique for SOAP APIs, REST APIs, or any other exposed APIs.

Actors

Integration developers who develop and expose the integrations over HTTPS in webMethods Cloud Container.
Integration executors who runs integrations.

Before You Begin

You must have the permissions to create solutions and execute services in webMethods Cloud Container under Settings > Access Profiles > Administrative Permissions > Functional Controls > Solutions.

Make sure you deploy services from on premises using Designer.

Basic Flow

Log in to webMethods Cloud Container.
Create a Solution. For more information about creating solutions, see Creating a Solution
Click Settings > Client Certificate > Manage Certificate.
Select the User. You can either upload a certificate to the user if there are any available CA-signed certificates, or you can generate and assign a certificate to the user. Click Browse to upload a certificate if you want to use the user’s own certificate or click Generate Private Key and Certificate to generate and download the private key and certificate for the user.

Note: For Tenant level, basic authentication is mandatory for two-way SSL API execution calls.

After downloading the file, copy the private key to a file and name it as {privateKeyFileName}.key and the certificate to a file and name it as {publicKeyFileName}.crt.
Open the Postman REST client and click Settings > Certificates. Then click Add Certificate.
The Add Certificate page appears. Now configure the certificate and private key in Postman.
As shown in the above figure, specify the Host name and the port number as 8443. Specify the location of the key files, that is, the CRT file (certificate) and the KEY file (private key). Click Add to save the two-way SSL configuration.
Open a new tab in Postman and add the request details you have obtained from webMethods Cloud Container.
To execute the services, configure a POST request in Postman as shown below and click Send. Change the port to 8443 of your service. URL is https://mydomain.container.webmethodscloud.com:8443/<Your service URL>.

Exceptions

The following errors may occur in the REST Client when there is a certificate mismatch between what is specified in webMethods Cloud Container with what is sent from the REST Client.

The server could not send a response.
Self-signed SSL certificates are blocked.

Audit Log

Audit Log allows you to access logs related to additions, deletions, updations, export, schedule, skip, login, logout, password changes, record access attempts, access violations, deployments, restart Integration executions, resume Integration executions, and so on for a user.

To view the Audit Log, from the webMethods Cloud Container navigation bar, click Settings > Audit Log.

Note: The Audit Log page can be viewed only by administrators and users who have the Manage Audit Log permission under Settings > Access Profiles > Administrative Permissions > Data Management Controls.

By default, the Audit Log page displays the current day’s log entries, with the most recent entries listed on top. You can sort the log to view the latest log entries. You can also search the Audit Log for User, Type, or Operation.

Activity Date refers to the date and time when the event occurred. User refers to the name of the logged in user when the event occurred. Type refers to the type of log entry, for example, User, Login/Logout, Reference Data, Environments, Account, Application, Integration, License Agreement, Password Policy, Access Profile, Company, and so on. Operation refers to the action performed, for example, Export, Execute, Terminate, Add, Delete, Update, Login, Logout, and so on. Description refers to a summary of the action performed.

Click Modify Retention Period and specify the number of days for retaining the audit log entries. The Audit log has a maximum retention period of 30 days, entries older than this period will be deleted.

Click Download Audit Log if you want to download and export log entries for a specified period. You can download Audit logs only up to 30 days.