Hi Megi,

last time I did that was a while back, but I configured it like this:

1. In the mendix cloud you have the option for access-restriction-profiles. Here you can upload a Certificate Authority. This is used to validate if the incoming certificate is signed with the CA.

2. In the Path Based Access Restrictions of your application you can create or edit lines. Select the custom profile you created in step 1.

Now you have configured the incoming rules of your application. All connections to the REST service will be checked against the CA. If the certificate is not signed with the uploaded CA, there is no valid authorization.

3. In the outgoing connections section you can assign a certificate to a REST service. 

This service will then assign the uploaded certificate to the REST service and use it in all the calls for this REST service. Meaning on the otherside the certicate can be matches against the CA uploaded in step 1.

Using OpenSSL I created my own Certificate Authority (because when using a default provider, half the world has access to your REST service). With this CA you can create the needed certificates to assign to the REST service.

Hey Megi,

https://docs.mendix.com/refguide/custom-settings/

you need to manually add it to project and add to your yaml file.

Best regards, Slavko

In the private cloud this requires some infra changes and you probably need to configure stuff in the Kubernetes cluster yourself. We also tried to implement this, but failed.

So for the consuming Mendix application it's not that difficult: you can add a client certificate as Slavko describes. For the publishing Mendix application, the problem arises that it seems impossible to set different rules for different paths, see this StackOverflow question.

We ended up using JWT (JSON Web Tokens) instead of Client Certificates.

I'm still curious how Mendix has solved this in the public cloud