WebSphere Application Server supports Java client authentication
using a digital certificate when the client attempts to make a Secure Sockets
Layer (SSL) connection. The authentication occurs during an SSL handshake.
The SSL handshake is a series of messages that are exchanged over the SSL
protocol to negotiate for connection-specific protection. During the handshake,
the secure server requests that the client send back a certificate or certificate
chain for the authentication.
Before you begin
To configure SSL for Java client authentication, consider the following
questions:
- Have you enabled security with your WebSphere Application Server?
- Have you configured
Common Secure Interoperability (CSI) authentication protocol for your target
application server?
Refer to Enabling security for all application servers for more details.
Note: The Security Authentication Service
(SAS) authentication protocol does not support Java client authentication
with SSL transport.
- Have you configured
your server to support secure transport for the CSIv2 inbound authentication
protocol?
- Have you configured
your server to support client authentication at the transport layer for the
inbound CSI authentication protocol?
- If you are using
a self-signed personal certificate, have you exported the public certificate
from your client application Java keystore file or cryptographic token device?
- If you are using a certificate authority (CA)-signed personal certificate,
have you received the root certificate of the CA?
- If you are using
a self-signed personal certificate, have you imported the public certificate
into your target Java truststore file as a signer certificate?
- If you are using a CA-signed (certificate authority) personal certificate,
have you imported the CA root certificate into your target Java truststore
file as a signer certificate?
- Does the common name (CN) that is specified
in your personal certificate name exist in your configured user registry or
is there a SAF mapping for the certificate?
If you answer yes to all of these questions that are appropriate to your
product and platform, you can configure SSL for Java client authentication.
About this task
Note: Java
client authentication using digital certificates is supported only by the
Common Secure Interoperability Version 2 (CSIv2) authentication protocol.
Procedure
- Editing the sas.client.props file for Secure Sockets Layer client authentication.
- Adding keystore files.
- Adding truststore files.
- Save changes.
- Restart the server if you configured the server.
What to do next
A secure client connects to a secure Internet Inter-ORB Protocol
(IIOP) server that requires client authentication at the transport layer.
If a connection problem occurs, you can set the
javax.net.debug=true Java
property before you run your client or your server to generate debugging information.
See
Troubleshooting security configurations for
further information about how to debug an IBMJSSE problem.