X.509 certificates
WebSphere Commerce supports client certificate logon as a security mechanism, protecting both site and customer. The X.509 certificate supplements basic authentication for customers entering a site. A customer holding this certificate can access a secured WebSphere Commerce site, which has been enabled for client certificate authentication.When creating a WebSphere Commerce instance, you select the Authentication Mode. The Authentication Mode is either Basic or X.509. The default is Basic authentication, which is logon authentication using a login ID and password. To activate logon authentication using X.509 certificates, select X.509 authentication.
Before you can begin using X.509 certificates, arrange for a trust relationship with an external certificate authority to handle electronic authentication of the X.509 certificates. If you are using Sun Java System Web Server as your Web server, follow additional steps to enable the X.509 certificates on your Web server. Refer to the Sun Java System Web Server product documentation for more information and complete instructions.
X.509 users are accessible through the WebSphere Commerce Accelerator. Before X.509 certificate authentication is enabled, the administrator must ensure there is a client certificate, which is recognized by the server certificate and installed on the browser. Otherwise, the administrator will be unable to logon. When the administrator accesses the WebSphere Commerce Administration Console login window for the first time, a certificate customer record is created and a customer cookie is issued, similar to when a normal customer accesses a secure URL. After the administrator logs on to the WebSphere Commerce
Administration Console using the correct ID and password, an administrator cookie is issued, replacing the customer cookie. An administrator will then have two user records: the administrator user and the previous customer user.An error message is displayed when:
- A user's X.509 certificate has been revoked by a site
- A client certificate does not contain the necessary information to guarantee that the customer is unique in WebSphere Commerce.
The X.509 error view task is registered as X509 ErrorView in the Struts configuration files.
A typical authentication scenario
The following steps illustrate a typical authentication scenario for X.509 certificates:
- A customer accesses:
- A non-secure URL through http://
No authentication is performed.
- A secure URL through https://
The customer is prompted to select a client certificate.
- A URL command and is redirected to https:// because of the access mode of the URL command
The customer is prompted to select a client certificate.
- The WebSphere Commerce Server uses the information from the client certificate to see if the customer already exists in the WebSphere Commerce USERS table:
- If the customer exists with a valid certificate status, the customer is authenticated and the shopping flow resumes.
- If the customer does not exist:
- The customer is automatically registered in the WebSphere Commerce database and the shopping flow resumes.
Note: Only the information found in the CERT_X509 table is taken from the certificate. However, customer address information could be taken from the X.509 client certificate, if it is available.
Related tasks
Enabling X.509 certificates
Updating the status of X.509 certificate users