Sorry, you need to enable JavaScript to visit this website.

How to use mutual TLS

Some Rabobank API's are restricted and require the application to provide a registered X509 client certificate during TLS handhake. If so, this is stated in the description of the API.

To use these TLS protected APIs you need to complete the following extra steps:

  1. Register your application in the developer portal, subscribe to the product and upload your TLS client certificate in PEM format.
  2. In your application, when the API is called, a X509 client certificate must be added.

We have created two examples that show how to implement this in your application

Java example:

@SpringBootApplication
public class SslClientApplication {

	static
	{
		System.setProperty("jdk.tls.client.protocols", "TLSv1.2");
		System.setProperty("https.protocols", "TLSv1.2");
		System.setProperty("javax.net.ssl.trustStore", "REPLACE_WITH_PATH_TO_CERT");
		System.setProperty("javax.net.ssl.trustStorePassword", "KEYSTORE_PASSWORD_HERE");
		System.setProperty("javax.net.ssl.keyStore",  "REPLACE_WITH_PATH_TO_KEY_FILE");
		System.setProperty("javax.net.ssl.keyStorePassword", "KEYSTORE_PASSWORD_HERE");

		javax.net.ssl.HttpsURLConnection.setDefaultHostnameVerifier(
				new javax.net.ssl.HostnameVerifier() {

					public boolean verify(String hostname,
							javax.net.ssl.SSLSession sslSession) {
						// TODO: CODE TO VERIFY Host
					}
				});
	}

	@Bean
	public RestTemplate template() throws Exception{
		RestTemplate template = new RestTemplate();
		return template;
	}

	public static void main(String[] args) {
		SpringApplication.run(SslClientApplication.class, args);
	}
}
@Component
public class HttpClient implements CommandLineRunner {

	@Autowired
	private RestTemplate template;

	@Override
	public void run(String... args) throws Exception {
		ResponseEntity<Object> response = template.getForEntity("REPLACE_WITH_API_URL", Object.class);
	}
}

Curl example:

curl --header "x-ibm-client-id:REPLACE_WITH_CLIENT_ID" --key REPLACE_WITH_PATH_TO_KEY_FILE --cert
    REPLACE_WITH_PATH_TO_CERT --verbose --insecure --location --cookie curlcookies REPLACE_WITH_API_URL

Explanation of the options:

  • --header: add header to the request
  • --key: absolute path to the key file
  • --cert: absolute path to certificate file
  • --verbose: verbose output
  • --insecure: ignore server certificate (you probably don't need this option)
  • --location: follow redirects
  • --cookie: use a cookiejar