Configure SSL for Java client authentication
WAS supports Java client authentication using a digital certificate when the client attempts to make a SSL connection. The authentication occurs during an SSL handshake. The SSL handshake is a series of messages exchanged over the SSL protocol to negotiate for connection-specific protection. During the handshake, the secure server requests the client to send back a certificate or certificate chain for the authentication. To configure SSL for Java client authentication, consider the following questions...
- Have you enabled security with your WAS? Refer to Configuring global security for more details.
- Have you configured Common Secure Interoperability (CSI) authentication protocol for your target appserver? Refer to Configuring global security for more details.
Note that The SAS authentication protocol does not support Java client authentication with SSL transport.
- Have you configured your server to support secure transport for the inbound CSI authentication protocol?
- Have you configured your server to support client authentication at the transport layer for the inbound CSI authentication protocol?
- If you are using a self-signed personal certificate, have you exported the public certificate from your client application Java keystore file or cryptographic token device?
- If you are using a certificate authority (CA)-signed personal certificate, have you received the root certificate of the CA?
- If you are using a self-signed personal certificate, have you imported the public certificate into your target Java truststore file as a signer certificate?
- If you are using a CA-signed (certificate authority) personal certificate, have you imported the CA root certificate into your target Java trust store file as a signer certificate?
- Does the common name (CN) specified in your personal certificate name exist in your configured user registry?
If you answer yes to all of these questions, you can configure SSL for Java client authentication.
Note that Java client authentication using digital certificates is supported only by the CSIv2 authentication protocol.
- Configure CSIv2 for SSL client authentication.
- Add keystore files.
- Add truststore files.
- Save changes.
- Restart the server if you have configured the server.
If a connection problem occurs, you can set a Java property, javax.net.debug=true, before you run your client or your server to generate debugging information. See Troubleshooting security configurations for further information about how to debug an IBM JSSE problem.
See AlsoAuthentication protocol for EJB security
Creating a SSL repertoire configuration entry
Managing digital certificates
Cryptographic token settings