# SSL Authentication in the GBDS API

## Introduction

The GBDS API provides SSL authentication for the connection between client and server using the TLS protocol, enabling a new layer of security. This manual covers the processes for enabling SSL authentication in the GBDS API.

## Certificates

SSL authentication using TLS requires mutual authentication, so the first step is to generate the client and server certificates, which must have a valid format. The steps to enable two-way authentication are explained below.

### Server Certificates

A file *Keystore* and a file *Truststore* must be created on the server and placed in `/etc/griaule/keystore`. Both files must be in PKCS12 format (`.pfx` or `.p12`).

The public certification chains of the client and server certificates must be added to the *Truststore* to allow authentication.

### Client Certificates

A file *Keystore* and a file *Truststore* must be created on the client. These will be used to authenticate the application.

The public certification chain that belongs to the server must be added to the *Truststore* of the client application.

## API Configuration

Some configuration parameters must be edited or added to allow SSL authentication in the GBDS API. When all parameters are correctly included, the API service must be restarted to apply the changes in the configuration file.

{% hint style="warning" %}
When enabling SSL authentication in the GBDS API, TLS authentication will be required for any communication with the API port, with no possibility of communication via HTTP.
{% endhint %}

The API configuration file path is `/etc/griaule/conf/gbsapi/gbdsapi.properties` and the parameters to be modified are as follows:

**security.require-ssl**

> This parameter defines whether SSL is required for communication with the API. Its value must be set to `true` to enable SSL authentication.
>
> *value*: `true`

**server.ssl.protocol**

> This parameter defines the SSL protocol to be used in authentication. Its value must be set to `TLS`.
>
> *value*: `TLS`

**server.ssl.client-auth**

> This parameter defines whether client authentication is required for communication with the API. Its value must be set to `need`.
>
> *value*: `need`

**server.ssl.key-store**

> This parameter defines the path to the file *Keystore* that will be used on the server.
>
> *value*: `/etc/griaule/keystore/<keystore>.pfx`

**server.ssl.key-store-password**

> This parameter defines the password to be used when accessing the file *Keystore* for certificate validation.
>
> *value*: `keystore password`

**server.ssl.trust-store**

> This parameter defines the path to the file *Truststore* that will be used on the server.
>
> *value*: `/etc/griaule/keystore/<trustore>.pfx`

**server.ssl.trust-store-password**

> This parameter defines the password to be used when accessing the file *Truststore* for certificate validation.
>
> *value*: `<truststore password>`


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.griaule.com/gbs/en/gbds-installation/sslapi.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.