Configure Secure Sockets Layer for Web client authentication



Search Tips   |   Advanced Search


Before you begin

To enable client-side certificate-based authentication, modify the authentication method that is defined on the J2EE Web module that you want to manage. The Web module might already be configured to use the basic challenge authentication method. In this case, modify the challenge type to client certificate. This functionality is delivered to the WAS administrator in assembly tools. However, developers can use the Rational Web Developer environment to achieve the same result.



  1. Launch the assembly tools. This step can be done either before an enterprise application archive .ear file is deployed into WAS or after deployment into the product. The latter option is discouraged in a production environment because it involves opening the expanded archive correlating to the enterprise application archive, found in the installedApps directory.

  2. Locate and expand the Web module package under an application to enable the client-side certificate authentication method.

  3. Select the appropriate Web application, and switch to the Advanced tab. Modify the authentication method to client certificate. The realm name is the scope of the login operation and is the same for all participating resources.

  4. Click OK, and save the changes you made with the assembly tools.

  5. Stop and restart the associated application server containing the resource, so that the security modification is included in the run time. Complete this action if the modification is made to a resource that already is deployed in WebSphere Application Server.



Now your enterprise application prompts the user for proof of identity with a certificate.


The Web server must also be configured to request a client certificate. If the Web server is external, refer to the appropriate configuration documentation. If the Web server is the Web container transport (for example, 9043) within WebSphere Application Server, verify that the client authentication flag is selected in the referenced SSL configuration.

Also, add the browser's signer certificate to the application server's keystore. For a self-signed personal certificate, the signer certificate is the is the public key of the personal certificate. For a certificate authority-signed server personal certificate, the signer certificate is the root certificate authority certificate of the certificate authority that signed the personal certificate.

Refer to the Map certificates to users article to determine how a certificate is authenticated within the product.


See Also

Secure Sockets Layer


Related Tasks

Manage digital certificates
Import signer certificates




WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.
IBM is a trademark of the IBM Corporation in the United States, other countries, or both.
Rational is a trademark of the IBM Corporation in the United States, other countries, or both.