How is the Client authorisation supposed work. How can we configure DLP API to limit only one client to send requests to the API and do it with certificates. 

Here are the steps you need to follow similar here to this where a self-signed certificate is being created: 

1) On another machine with DLP installed run the following command to generate a new self-signed certificate for the API detector:

keytool -genkey -keyalg RSA -alias my_selfsigned_cert -dname “CN=10.x.x.x” -keystore my_keystore.pkcs12 -validity 3650 -keysize 2048 -storepass password -keypass password -deststoretype pkcs12

Keytool is located in C:\Program Files\AdoptOpenJRE\jdk8u262-b10-jre\bin, please note that location of the JRE may be different in your environment.
The CN of the certificate has been set to the IP address of the API detector. Passwords are set to be the same for both the keystore and the key itself.

2) Then login to the Enforce console and navigate to System -> Servers and Detectors -> Overview section, then select the API Appliance detector and click on Configure.

3) In the "Security Configuration" section of the configuration screen, use the "Upload keystore" option to upload the created my_keystore.pkcs12 keystore to the Appliance detector. Below enter the Keystore password which has been configured in point 1. Then save the configuration.

4) Reboot the Appliance detection server to allow it to use the new certificate.

5) At this point run a test with the Curl commands to check if the new certificate is being used by the API detector. See instructions at the bottom of this email.

6) Export the new API detector's certificate from its keystore and import it into the Trusted Root Certificates store on the client that you want to use to allow it to be able to trust the new certificate used by the API detector. You can export the certificate using the following command on the same machine where the keystore was generated:

keytool -export -alias my_selfsigned_cert -file server.pfx -keystore my_keystore.pkcs12

7) Then copy the file server.pfx onto the client where required, launch MMC and open the Certificates console. Navigate to the Trusted Root Certification Authorities -> Certificates section, right-click on the certificate list and select All Tasks -> Import.

8) In the import wizard, leave the first setting on "Local Machine" and click Next. Then we browse to the exported server.pfx file and click Next. Continue to click Next until you can click on Finish.

9) Restart the client to ensure that it reloads its certificate stores and is able to validate the new certificate of the API detector.

Commands for troubleshooting:

WHEN KEYSTORE IS NOT CONFIGURED

Run from a remote host.

curl --insecure --cert ./new_rest_client_cert.pem -H "Content-Type: application/json" -H "Accept: application/json" -H X-SYMC-DLP-DetectorID:<PLACEHOLDER-DET-ID> -X GET https://<PLACEHOLDER-IP-ADDR>:8080/Status

EXPECTED OUTPUT:

curl: (7) Failed connect to <PLACEHOLDER-IP>:8080; Connection refused

openssl s_client -showcerts -servername <PLACEHOLDER-IP-ADDR> -connect <PLACEHOLDER-IP-ADDR> :8080

EXPECTED OUTPUT:

socket: Bad file descriptor

connect:errno=9

AFTER KEYSTORE IS CONFIGURED

Run from a remote host.

curl --insecure --cert ./new_rest_client_cert.pem -H "Content-Type: application/json" -H "Accept: application/json" -H X-SYMC-DLP-DetectorID:<PLACEHOLDER-DET-ID> -X GET https://<PLACEHOLDER-IP-ADDR>:8080/Status

EXPECTED OUTPUT:

{"message":"The Rest Inductor is alive!"}

 openssl s_client -showcerts -servername <PLACEHOLDER-IP-ADDR> -connect <PLACEHOLDER-IP-ADDR>:8080

EXPECTED OUTPUT:

 CONNECTED(00000003)

depth=0 C = US, ST = CA, L = San Francisco, O = Symantec Dev, OU = DLP, CN = Carl-AWS-Rest-Appliance-1

verify error:num=18:self signed certificate

verify return:1

depth=0 C = US, ST = CA, L = San Francisco, O = Symantec Dev, OU = DLP, CN = Carl-AWS-Rest-Appliance-1

verify return:1

---

Certificate chain

 0 s:/C=US/ST=CA/L=San Francisco/O=Symantec Dev/OU=DLP/CN=Rest-Appliance-1

   i:/C=US/ST=CA/L=San Francisco/O=Symantec Dev/OU=DLP/CN=Rest-Appliance-1

Where present you'll need to replace <PLACEHOLDER-DET-ID> and <PLACEHOLDER-IP-ADDR> with your own ID and address in the above commands.