Symantec Access Management

Tech Tip : CA Single Sign-On :CA Access Gateway:Auth/AZ Web Service with Certificate Authentication

By Ujwol posted 11-24-2016 01:20 AM



In this guide, we will see how to invoke REST Auth/AZ web service and pass the required client certificate when it is protected with X.509 certificate authentication scheme.


  • Web Agent/Policy Server: 12.52 and above
  • OS : ANY

Pre-requisites :

  • The root resource (/authazws/) for Auth/AZ web service is protected with X.509 Authentication scheme.
  • The web server (Apache) component of Apache is configured for SSL connectivity.
  • Client (user) certificate for the Authorised users are created.



TEST 1: REST Client (e.g SOAPUI)

This needs configuring SOAPUI with the X.509 certificate authentication.

This has been detailed quite well here : How to configure SoapUI with client certificate authentication 



TEST 2: REST Client ( e.g Java)

1. Add the CA cert which signed the SPS Apache server certificate to the java key store as trusted CA:

e.g. keytool -importcert -trustcacerts -alias ad2k8-01 -file RootCA-ad2k8-01.cer -keystore cacerts -storepass changeit -v


2. Modify the following properties in as per your environment

3. Modify the JDK home in the java-build.bat and java-run.bat (windows)

4. Compile the Test class by running java-build.bat (windows)

5. Execute the class by running java-run.bat (windows)

  Sample output :


Additional Information




08-28-2018 06:25 PM

Hi Ujwol. Do you know if there is a way to make that the Authentication Web Service, can response with the cause of the rejection, when the user fail on the login?


I know that this means to reveal more information that we have to reveal, but my customer needs this, for some specific process for integration with 3rd parties.

12-29-2017 07:59 PM

Good post. Attachment also helped.