I know that I can use client certificates with a custom domain on Bluemix. The process for setting up the trust store is explained here: https://console.ng.bluemix.net/docs/manageapps/secapps.html Bluemix is going to validate the client certificate as part of the TLS handshaking. So far, so good.
I'm running a Java servlet inside Bluemix on a custom domain, and I'd like to see the details from the client certificate. The usual way to do that is HttpServletRequest.getAttribute("javax.servlet.request.X509Certificate"); Will that same approach work on Bluemix? If not, is there another way to get the details of that client certificate?
A HTTP header called $WSCC should be set when mutual authentication was performed with a Bluemix application running on a custom domain. The value of that header is a based64 encoded client certificate (only one). If your application is running with Liberty runtime (deployed with Liberty buildpack), you should be able to retrieve that certificate using HttpServletRequest.getAttribute("javax.servlet.request.X509Certificate") call. On other runtimes, you might have to lookup that header directly.