Authenticity of client and server identities during a SSL connection is validated by both communicating parties using public key cryptography or asymmetric cryptography, to prove the claimed identity from each other.
Public key cryptography is a cryptographic method that uses public and private keys to encrypt and decrypt messages. The public key is distributed as a public key certificate while the private key is kept private. The public key is also a cryptographic inverse of the private key. Well known public key cryptographic algorithms such as the Rivest Shamir Adleman (RSA) algorithm and Diffie-Hellman (DH) algorithm are supported in WAS.
Public key certificates are either issued by a trusted organization like a certificate authority (CA) or extracted from a self-signed personal certificate by using the IBM Key Management Tool (iKeyman). A self-signed certificate is less secure and is not recommended for use in a production environment.
The public key certificate includes the following information...
- Issuer of the certificate
- Expiration date
- Subject that the certificate represents
- Public key belonging to the subject
- Signature by the issuer
You can link multiple key certificates into a certificate chain. In a certificate chain, the client is always first, while the certificate for a root CA is last. In between, each certificate belongs to the authority that issued the previous one.
During the SSL connection, a digital signature is also applied to avoid forged keys. The digital signature is an encrypted hash and cannot be reversed. It is very useful for validating the public keys.
SSL supports reciprocal authentication between the client and the server. This process is optional during the handshake. By default, a WAS client always authenticates its server during the SSL connection. For further protection, you can configure a WAS for client authentication.
Refer to the Transport Layer Security specification at for further information.