WebSphere Application Server and Liberty profile requirements

User certificate authentication uses standard SSL X.509 User Certificates, which requires the use of an SSL channel.

There are a few requirements around SSL that must be configured in order for user certificate authentication to work.

• The SSL channel for WAS or the Liberty profile must be configured to include the certificate authority (CA) in the trust store used to sign user certificates.

• The application server must be configured to allow a user certificate, but not require it. This configuration is important so that MPF send unauthenticated challenges to the device when the device does not provide a user certificate.

• User registry for the application server must be defined. The name used to authenticate a user against that user registry must match the common name (CN) in a generated user certificate.

• The User Certificate Authentication feature requires the server to be configured to require a valid X.509 client certificate. The feature also requires an alternate fallback authentication mechanism when a certificate does not yet exist on the client. WAS Liberty Profile Versions 8.5.5.0 and 8.5.5.1 allow a basic authentication, or a HTTP 401 status code, as a fallback to authenticate a user. However, a MobileFirst client cannot handle this configuration. To protect the MobileFirst Server with the WAS Liberty Profile security mechanisms, install a fix for APAR PI10103 for Liberty Versions 8.5.5.0 and 8.5.5.1. See PI10103: Support certificate authentication to fail over to a form-based login.

• Configure the Liberty profile
  We must enable an HTTPS endpoint in WAS Liberty profile that uses the server's certificate, and trusts the client certificates.

Parent topic: User certificate authentication on the server