Mutual TLS authentication

Watson™ Care Manager requires that all external API connections occur over a mutually encrypted connection, with certificate exchange between the endpoints.

The standard TLS protocol ensures that a client trusts the server that it is communicating with by verifying the server's certificate. In addition, mutual TLS ensures that the server only accepts connections from trusted clients through certificate verification. With mutual TLS, both parties authenticate each other by verifying a digital certificate that issued by a trusted Certificate Authority. The presence of the certificate assures each party of the others’ identity.

A client (web browser or client application) authenticates itself to a server (website or server application). Then, the server authenticates itself to the client by verifying the provided certificate.

Figure 1. How mutual TLS authentication works between Watson Care Manager and external systems
An integrations diagram that shows how mutual TLS authentication works between Watson Care Manager and external systems.
  1. The external system makes an API call to a Watson Care Manager API endpoint.
  2. Watson Care Manager presents its certificate to the external system.
  3. The external system verifies Watson Care Manager's certificate.
  4. If successful, the external systems sends its certificate to Watson Care Manager.
  5. Watson Care Manager verifies the external system's certificate.
  6. If successful, Watson Care Manager allows the API call to proceed.