Client authentication
When the client connect to the gateway, it must authenticate to gain privilege to read and edit the gateway configuration.
The API has two different authentication methods:
The login route uses Basic Auth and allows to recover a authentication token. The authentication token can then be used for the other routes with the Bearer Token method.
Server (gateway) authentication
When connecting a client to the gateway, you may be interested to authenticate the gateway, to be sur you will send the username and password to the gateway you think, and not to another server (e.g. a hacker's server).
Server authentication is done using the standard way over the internet : SSL certificates. Those certificates are use only when you connect through https, so first, ensure you connect with http through port 443.
To authenticate a server, there are usually two mechanism involved:
- Check if the certificate can be trusted
- Check if the certificate is valid for the accessed domain
Depending the client you use, one or both of these mechanism will be used. Web browser typically check both of them.
The server available on the gateway is generated at the first boot. This means the gateway must self-sign its certificate, and it is therefore not trusted by any browser/system by default. To tell the client this certificate can be trusted, you must tell it explicitly. This procedure depends on the client. Postman for example relies on the system certificates. If you programatically access the gateway, the framework provided by the language you use generally proposes a way to define the root certificate of trust.
If the client you use also checks the domain (aka server (host)name validation), you should add the IP or the hostname you use to access the gateway in the gateway's certificate. This can be done with the Manager UI in the preferences page.
With that, the client should be able to access the gateway in a secured way.
Encryption
When using https, the channel is totally encrypted and the data cannot be read by anyone intercepting the communication. This is not the case when you use http. In http the credentials for login will be sent un-encrypted. This means that your username and password may be easily intercepted if the access is not done in a trustfull environment. That's why we recommend always using http.
Encryption is used even if the certificate is not trusted by the client. So it's still better to use https even is the certificate is not recognized by the client. Just be sure that you connect to the correct gateway.
