User certificate authentication overview

The User Certificate Authentication feature is a newly introduced user authentication realm in IBM Worklight v6.1 that establishes user identity with an X.509 client certificate.

With the User Certificate Authentication feature, MPF provides a mechanism for enterprises to are integrate their mobile infrastructure and existing public key infrastructure (PKI). With this new added function, enterprises can now authenticate users that are trying to access sensitive backend systems through mobile devices with X.509 client side certificates. Mobile clients can now present an X.509 certificate to establish a secure client identity over the transport layer security (TLS) protocol.

This feature allows enterprises to use their existing PKI to obtain full control of the user authentication and user enrollment process. An embedded PKI implementation is provided, which allows enterprises without their own PKI to quickly set it up. With the embedded PKI option, IBM MobileFirst Platform Foundation internally signs certificates and manages the validation and enrollment process.

More specifically, mobile clients are now able to present an X.509 client certificate to establish a secure connection over the transport layer security (TLS) protocol. Users are enrolled to the enterprise certificate authority (CA) directly from their device. The client certificate is then used to authenticate and establish a user identity on subsequent requests.

This feature is only available on hybrid iOS and Android environments for this current release.

How it works

The MobileFirst Server can be configured to protect an application or adapter with the user certificate authentication user realm (UserCertificateAuthRealm). This realm requires the use of a PKI for managing X.509 client certificates. An existing PKI can be used by implementing the PKI bridge interface provided for you. The PKI bridge interface serves as the bridge between MPF and your PKI. Another option is to use the embedded PKI provided with this feature for testing and development purposes.

The first time a user accesses a protected application or adapter procedure from a device, the server initiates the applicable challenges and starts the user enrollment process. The user enrollment process consists of having the user enroll into the configured PKI and then provisioning the device with an X.509 certificate for future use. Users enroll into existing PKIs through the help of a dependent user authentication realm. After the user is authenticated through the dependent realm, IBM MobileFirst Platform Foundation, through the PKI, generates the client certificate and provisions the device with the certificate that is issued to the user. The server enrolls the user after successfully establishing the user identity using one of the pre-existing login modules. This process results in an X.509 certificate that is issued to the user and installed securely on the device.

The following figure shows the user enrollment flow:

Subsequent calls from that MobileFirst application use this X.509 certificate to establish a secure connection over HTTPS, authenticate the user, and establish the user identity on the server. Users need to log in only once for the life of the certificate. When the certificate expires or is revoked by the PKI, the enrollment process is initiated again. We can allow user enrollment to continue, ban the user, or allow the user to log in only through the dependent realm.

Both the client and the server runtimes enforce certificate verification, ensuring that the client certificate is valid and is issued to a known user. The client certificate is valid if it is issued by a trusted CA, is not expired and is not revoked, and its validity period is current. The server also verifies the client certificate's subject against a user registry to ensure that the client certificate was issued to a known user. Support for certificate revocation lists (CRL) is provided by the underlying Enterprise Edition (Java EE) , Enterprise Edition server, and JVM. For more information about how to enable CRL support in WebSphere Application Server, see SSL configurations.

Not all JVMs provide CRL support.

The following figure shows the client certificate authentication flow:

Parent topic: User certificate authentication