Our PEGA application exposes a number of services to other non-PEGA applications to consume and basic authentication has been used for auth wherein the calling application passes the user identifier and password to the service.
However, our security requirement suggests we would be better of using mutual auth for this and we would like to know if there would be any challenges in achieving this.
My simple understanding of this was -
Store both the client and service provider certificates of both the applications involved in their corresponding servers and enable the "Require TLS/SSL for REST services in this package" setting in the service package.
Guidance from anyone who has done this before would be appreciated.
When you select this check box, all invocations of REST services belonging to this servicepackage must use TLS/SSL, which uses the HTTPS protocol. If REST services are invoked by using HTTP, a code 403 status is returned with a warning.
Thus the service invocation has to be over HTTPS .
Ideally you should have SSL connection implemented on the Pega instance. This require the application server configuration with valid keystore/certificates for the SSl enabling.