You can use two-way SSL authentication by sending a certificate
generated in Salesforce or
signed by a certificate authority (CA) with your callout. This enhances
security as the target of the callout receives the certificate and
can use it to authenticate the request against its keystore.
To enable two-way SSL authentication for a callout:
-
Generate a certificate.
- Integrate the certificate with your code. See Using Certificates with SOAP Services and Using Certificates with HTTP Requests.
- If you are connecting to a third-party and you are using a self-signed
certificate, share the Salesforce certificate
with them so that they can add the certificate to their keystore.
If you are connecting to another application used within your organization,
configure your Web or application server to request a client certificate.
This process depends on the type of Web or application server you
use. For an example of how to set up two-way SSL with Apache Tomcat,
see developer.salesforce.com/page/Making_Authenticated_Web_Service_Callouts_Using_Two-Way_SSL.
- Configure the remote site settings for the callout.
Before any Apex callout can call an
external site, that site must be registered in the Remote Site Settings page, or the callout
fails.
If you use setEndpoint(endpoint) to
specify a named credential as the endpoint, you don’t need to configure remote
site settings.
To set up named credentials, see “Define a Named Credential” in the Salesforce
Help.