Secure >
X.509 certificates
WebSphere Commerce supports client certificate logon as a security mechanism, protecting both site and customer. The X.509 certificate supplements basic authentication for customers entering a site. A customer holding this certificate can access a secured WebSphere Commerce site, which has been enabled for client certificate authentication.
When creating a WCS instance, you select the Authentication Mode, either...
- Basic
- X.509
The default is Basic authentication, which is logon authentication using a login ID and password.
To activate logon authentication using X.509 certificates, select...
X.509 authenticationBefore you can begin using X.509 certificates, arrange for a trust relationship with an external certificate authority to handle electronic authentication of the X.509 certificates. If you are using Sun Java System Web Server as the Web server, we will need to follow additional steps to enable the X.509 certificates on the Web server.
X.509 users are accessible through the WebSphere Commerce Accelerator.
Before X.509 certificate authentication is enabled, the administrator must ensure there is a client certificate, which is recognized by the server certificate and installed on the browser. Otherwise, the administrator will be unable to logon. When the administrator accesses the Administration Console login window for the first time, a certificate customer record is created and a customer cookie is issued, similar to when a normal customer accesses a secure URL. After the administrator logs on to the Administration Console using the correct ID and password, an administrator cookie is issued, replacing the customer cookie. An administrator will then have two user records:
- administrator user
- previous customer user
An error message is displayed when:
- A user's X.509 certificate has been revoked by a site
- A client certificate does not contain the necessary information to guarantee that the customer is unique in WebSphere Commerce.
The X.509 error view task is registered as X509 ErrorView in the Struts configuration files.
A typical authentication scenario
The following steps illustrate a typical authentication scenario for X.509 certificates:
- A customer accesses:
- A non-secure URL through http://
No authentication is performed.
- A secure URL through https://
The customer is prompted to select a client certificate.
- A URL command and is redirected to https:// because of the access mode of the URL command
The customer is prompted to select a client certificate.
- The WebSphere Commerce Server uses the information from the client certificate to see if the customer already exists in the WebSphere Commerce USERS table:
- If the customer exists with a valid certificate status, the customer is authenticated and the shopping flow resumes.
- If the customer does not exist:
- The customer is automatically registered in the WebSphere Commerce database and the shopping flow resumes.
Note: Only the information found in the CERT_X509 table is taken from the certificate. However, customer address information could be taken from the X.509 client certificate, if it is available.
- Enable X.509 certificates
When creating a WCS instance, you select either Basic authentication or X.509 authentication using the Configuration Manager. The default is Basic authentication, which is authentication using a logon ID and password.
- Update the status of X.509 certificate users
Using the WebSphere Commerce Accelerator, a site administrator can update the status of an X.509 certificate user, to one of the following three status values: Valid, Revoked, Expired.