Limiting access to URLs and directories with client certificates when multiple SSL IP-based virtualhosts are enabled
 Technote (FAQ)
 
Problem
Use the following information when enabling SSL client certificate authentication. The SSLClientAuth directive is used to enable SSL client certificate authentication, and the SSLClientAuthRequire directive is used in conjunction with SSLClientAuth to restrict client access to certain URLs and directories.
 
Solution
The system must already be set up for multiple IP-based SSL virtualhosts. An example of this is found in IP-Based Virtual Hosting must be used if configuring multiple SSL Virtual Hosts. After two PKCS12 browser certificates are created for two browsers in iKeyman, add the following two directives to each of the SSL Virtual hosts.
SSLClientAuth required
<Location />
  SSLClientAuthRequire (CommonName = "Common Name in Certificate")
</Location>

The SSLClientAuthRequire directive can use any unique value in the certificate that is created. Generally, the common name is an identifier, such as a person's name or a group's name that requires access to the site.

The SSLClientAuthRequire directive works only if it is placed within a location or directory stanza. In the preceding example, this requires the browser certificate for any location in the site from the root down.
 
 
 


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > IBM HTTP Server > SSL
Operating system(s): Windows
Software version: 6.0
Software edition:
Reference #: 1194918
IBM Group: Software Group
Modified date: Jul 30, 2005