Enable Secure Sockets Layer client authentication for a specific inbound endpoint
When you establish an SSL configuration, we can enable client authentication for a specific inbound endpoint.
The endpoint configuration must already exist in the SSL topology.
Complete the following steps in the console:
- Click Security > SSL certificate and key management > Manage endpoint security configurations > Inbound > SSL_configuration. To enable SSL client authentication for all processes, define an SSL configuration for the new endpoint at the node or cell level so that it is visible to all processes on the same node or on the entire cell. For more information, see Create a Secure Sockets Layer configuration.
- Select Override inherited values. The SSL configuration is used for the current scope and any lower scopes that have not already designated an SSL configuration. This field displays for server and node groups within the object hierarchy and does not display for the top-level node or cell.
- Select an SSL configuration from the drop-down list.
- Click Update certificate alias list.
- Select a Certificate alias from the drop-down list.
- Click OK to save the configuration.
Results
We can repeat the previous steps for each endpoint that uses the same SSL configuration to enable client authentication for the inbound endpoints.
What to do next
CSIv2 Protocol Exception:The CSIv2 (CSIv2) secure endpoints, used for Remote Method Invocation over the Internet Inter-ORB Protocol (RMI/IIOP) security, cannot override inherited values. While the rest of the SSL properties are effective for CSIv2 when they are selected at the centrally-managed Secure Communications panel, the client authentication selection is controlled by the CSIv2 protocol configuration.
To enable SSL client certificate authentication for the CSIv2 protocol, use the CSIv2 inbound and outbound authentication panels. For SSL client authentication to occur between two servers, enable (support or require) SSL client certificate authentication for both the inbound and the outbound policies.
WAS can either request (support) clients to provide signer certificates for the SSL handshake, or the server can require clients to provide a valid signer certificate for the SSL handshake, which is a more secure method. However, when the server requires certificates, the server must obtain a signer for each client that connects to the server, which involves more server-side management.
The client certificate should not be used for the identity when it is used from server-to-server. However, when a pure client sends the client certificate it is used for the identity unless a message level identity is specified, such as a user ID or a password.
Do the following to enable client certificate authentication for the CSIv2 protocol for server-to-server:
- Click Security > Global security.
- Expand the RMI/IIOP security section.
- Click CSIv2 inbound authentication.
- Under Client authentication, select either supported or required. When you select required, only one SSL port is opened (CSV2_SSL_MUTUALAUTH_LISTENER_ADDRESS). When you select supported, two SSL ports are opened (both CSIV2_SSL_MUTUALAUTH_LISTENER_ADDRESS and CSIV2_SSL_SERVERAUTH_LISTENER_ADDRESS).
If there are two ports, the client can select either based on the security configuration policy of the port.
- Click OK to save.
- If we want server-to-server SSL client authentication, then complete the remaining steps. If we don't complete the remaining steps, only pure clients are enabled to send client certificates.
- Expand the RMI/IIOP security section.
- Click CSIv2 outbound authentication.
- Under Client authentication, select either supported or required.
The SSL configuration for the inbound secure endpoints for which you enable SSL client certificate authentication must have the signer certificate from any client that attempts to open a connection to that inbound secure endpoint. We must collect those signers and then add them to the trust store associated with the inbound secure endpoints SSL configuration.
Related concepts
Secure Sockets Layer node, application server, and cluster isolation
Related tasks
Select an SSL configuration alias directly from an endpoint configuration Add the correct SSL Signer certificates to the plug-in keystore Create a Secure Sockets Layer configuration