A certificate is needed to gain access to Storm API and is a safeguard that no unauthorized person can access your features.

Getting a certificate

Certificates are issued upon request for customer projects by Storm Commerce. The certificates are used to authenticate applications to the Storm API. Certificates can be bundled within the application or installed in the local machine’s certificate store. Developers are advised to install the certificate in their personal certificate store in order to give them access to the API Reference with live data.

Using the certificate with WCF (non-bundled)

The certificate needs to be installed in the local machines certificate store and the issuer certificate must be trusted. The user on the ApplicationPool for the Application needs to have access to the certificate’s private key. This is managed in the mmc.exe on Windows systems.

Locate below section under system.serviceModel/behaviors and change “thumbprint from certificate” to your certificate’s thumbprint:

	<behavior name="CertificateBehavior">
			<clientCertificate findValue="<thumbprint from certificate>" storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" />
				<authentication certificateValidationMode="PeerOrChainTrust" revocationMode="Online" />
		<dataContractSerializer maxItemsInObjectGraph="2147483647" />

Using the certificate bundled in the application

When bundling the certificate in the application, no installation of the certificate is required.
We usually put the certificate file in the App_Data folder of the project and mark it as content.

When bundling certificates within the application, the WCF configuration from above, clientCredentials/ clientCertificate, is not used and can be removed.

The following needs to be inserted under appSettings:

<add key="API.CertFile" value="App_Data\<The name of your certificate file>.pfx" />
<add key="API.CertPwd" value="<your certificate password>" />

This default setup supports use of one certificate for the application. When building multi market applications using different certificates for each market custom handling of certificate resolving must be made. That can be done by Implementing your own ICertificateResolver and configure unity with your implementation. Below is a sample for the default certificate resolver.
Under unity make sure these are present:

<assembly name="Enferno.StormApiClient" />
<namespace name="Enferno.StormApiClient" />

<register type="ICertificateResolver" mapTo="CertificateResolver" />

Since the WCF configuration of the client certificate is removed, use of the client proxies to the API will not work and all access must be made by the AccessClient component.