Enable SSL client authentication for a specific inbound endpoint


When you establish an SSL configuration, we can enable client authentication for a specific inbound endpoint.

The endpoint configuration must already exist in the SSL topology.

Complete the following steps in the admin console:

 

  1. Click Security > SSL certificate and key management > Manage endpoint security configurations > Inbound > SSL_configuration. To enable SSL client authentication for all processes, define an SSL configuration for the new endpoint at the node or cell level so that it is visible to all processes on the same node or on the entire cell.

    See Create an SSL configuration.

  2. Select Override inherited values. The SSL configuration is used for the current scope and any lower scopes that have not already designated an SSL configuration. This field displays for server and node groups within the object hierarchy and does not display for the top-level node or cell.

  3. Select an SSL configuration from the drop-down list.

  4. Click Update certificate alias list.

  5. Select a Certificate alias from the drop-down list.

  6. Click OK to save the configuration.

 

Results

We can repeat the previous steps for each endpoint that uses the same SSL configuration to enable client authentication for the inbound endpoints.

 

Next steps

CSIv2 Protocol Exception:

The Common Secure Interoperability Version 2 (CSIv2) secure endpoints, used for RMI/IIOP security, cannot override inherited values. While the rest of the SSL properties are effective for CSIv2 when they are selected at the centrally-managed Secure Communications panel, the client authentication selection is controlled by the CSIv2 protocol configuration.

To enable SSL client certificate authentication for the CSIv2 protocol, use the CSIv2 inbound and outbound authentication panels. For SSL client authentication to occur between two servers, enable (support or require) SSL client certificate authentication for both the inbound and the outbound policies.

WAS can either request (support) clients to provide signer certificates for the SSL handshake, or the server can require clients to provide a valid signer certificate for the SSL handshake, which is a more secure method. However, when the server requires certificates, the server must obtain a signer for each client that connects to the server, which involves more server-side management.

The client certificate should not be used for the identity when it is used from server-to-server. However, when a pure client sends the client certificate it is used for the identity unless a message level identity is specified, such as a user ID or a password. Do the following to enable client certificate authentication for the CSIv2 protocol for server-to-server:

  1. Click...

      Security | Global security

  2. Expand the RMI/IIOP security section.

  3. Click CSIv2 inbound authentication.

  4. Under Client authentication, select either supported or required. When you select required, only one SSL port is opened (CSV2_SSL_MUTUALAUTH_LISTENER_ADDRESS). When you select supported, two SSL ports are opened (both CSIV2_SSL_MUTUALAUTH_LISTENER_ADDRESS and CSIV2_SSL_SERVERAUTH_LISTENER_ADDRESS).

    If there are two ports, the client can select either based on the security configuration policy of the port.

  5. Click OK to save.

  6. If we want server-to-server SSL client authentication, then complete the remaining steps. If we don't complete the remaining steps, only pure clients are enabled to send client certificates.

  7. Expand the RMI/IIOP security section.

  8. Click CSIv2 outbound authentication.

  9. Under Client authentication, select either supported or required.

The SSL configuration for the inbound secure endpoints for which you enable SSL client certificate authentication must have the signer certificate from any client that attempts to open a connection to that inbound secure endpoint. You must collect those signers and then add them to the trust store associated with the inbound secure endpoints SSL configuration.


SSL node, appserver, and cluster isolation

 

Related tasks


Select an SSL configuration alias directly from an endpoint configuration
Extracting a signer certificate from a personal certificate
Create an SSL configuration