Enable Secure Sockets Layer client authentication for a specific inbound endpoint

When you establish a Secure Sockets Layer (SSL) configuration, you can enable client authentication for a specific inbound endpoint. The endpoint configuration must already exist in the SSL topology.

Overview

Procedure

1. Click Security > SSL certificate and key management > Manage endpoint security configurations > Inbound > SSL_configuration. If you want to enable SSL client authentication for all processes, define an SSL configuration for the new endpoint at the node or cell level so that it is visible to all processes on the same node or on the entire cell. For more information, see Creating a Secure Sockets Layer configuration.

2. Select Override inherited values. The SSL configuration is used for the current scope and any lower scopes that have not already designated an SSL configuration. This field displays for server and node groups within the object hierarchy and does not display for the top-level node or cell.

3. Select an SSL configuration from the drop-down list.

4. Click Update certificate alias list.

5. Select a Certificate alias from the drop-down list.

6. Click OK to save the configuration.

Results

What to do next

The Common Secure Interoperability V2 (CSIv2) secure endpoints, used for Remote Method Invocation over the Internet Inter-ORB Protocol (RMI/IIOP) security, cannot override inherited values. While the rest of the SSL properties are effective for CSIv2 when they are selected at the centrally-managed Secure Communications panel, the client authentication selection is controlled by the CSIv2 protocol configuration.

To enable SSL client certificate authentication for the CSIv2 protocol, use the CSIv2 inbound and outbound authentication panels. For SSL client authentication to occur between two servers, enable (support or require) SSL client certificate authentication for both the inbound and the outbound policies.

WebSphere Application Server can either request (support) clients to provide signer certificates for the SSL handshake, or the server can require clients to provide a valid signer certificate for the SSL handshake, which is a more secure method. However, when the server requires certificates, the server must obtain a signer for each client that connects to the server, which involves more server-side management.

The client certificate should not be used for the identity when it is used from server-to-server. However, when a pure client sends the client certificate it is used for the identity unless a message level identity is specified, such as a user ID or a password. Do the following to enable client certificate authentication for the CSIv2 protocol for server-to-server:

1. Click Security > Secure administration, applications, and infrastructure.

2. Expand the RMI/IIOP security section.

3. Click CSIv2 inbound authentication.

4. Under Client authentication, select either supported or required. When you select required, only one SSL port is opened (CSV2_SSL_MUTUALAUTH_LISTENER_ADDRESS). When you select supported, two SSL ports are opened (both CSIV2_SSL_MUTUALAUTH_LISTENER_ADDRESS and CSIV2_SSL_SERVERAUTH_LISTENER_ADDRESS).

   If there are two ports, the client can select either based on the security configuration policy of the port.

5. Click OK to save.

6. If you want server-to-server SSL client authentication, then complete the remaining steps. If you don't complete the remaining steps, only pure clients are enabled to send client certificates.

7. Expand the RMI/IIOP security section.

8. Click CSIv2 outbound authentication.

9. Under Client authentication, select either supported or required.

The SSL configuration for the inbound secure endpoints for which you enable SSL client certificate authentication must have the signer certificate from any client that attempts to open a connection to that inbound secure endpoint. You must collect those signers and then add them to the trust store associated with the inbound secure endpoints SSL configuration.

Related tasks