Secure Socket Layer Client Certificate authentication (Transport Layer Authentication)

Use SSL client authentication is another way of authenticating a client to a server. This form of authentication does not occur at the message layer (that is, not by using user ID and password or tokens). Instead it occurs during the connection handshake using SSL certificates. When the client is configured with a personal certificate in the SSL keystore and it indicates that SSL client authentication is desired and the server supports SSL client authentication, then actions are performed to establish the identity on the client side.

When a method request is invoked in the client code to a remote enterprise bean, the ORB invokes the client connection interceptor to establish a connection with the server. Because the configuration specifies SSL, and in addition SSL client authentication, the connection type is SSL and the SSL handshake sends the client's certificate to the server to validate. If the client certificate does not validate, the connection does not get established and an exception is sent back to the client code where the method was invoked, indicating the failure. If the client certificate does get validated, then a connection is opened between the client and the server.

The ORB proceeds to call the client request interceptor, which may or may not have work to do. If, for example, BasicAuth is also configured, then the user may be prompted for a user ID and password. Obviously this is not necessary, so it should be disabled in the configuration if the SSL certificate is the desired identity to invoke the method against. If there is not message layer security, then no security context is created and associated with the request.

After the server receives the request, the server side request interceptor first checks for a security context. Since the server does not find a service context, it then checks the server socket for a client certificate chain, which contains the client identity. In this case, it finds the certificate chain from the client. At this point, the identity in the certificate chain is valid because the connection was made. All that needs to be done to create a credential is to map the identity from the certificate to the user registry. This is done differently based on the type of authentication mechanism and user registry type.

One benefit of SSL client certificate authentication is that it is probably the best-performing way to authenticate because an SSL connection is typically created anyway. The extra overhead of sending the client's certificate is minimal. The client side request interceptor really does nothing and the server side request interceptor just maps the certificate to a credential. The drawback might be the complexity of setting up the keystore on each client system.

To enable SSL client certificate authentication on the client side, enable the following properties. First enable SSL. This is done by configuring the properties com.ibm.CSI.performTransportAssocSSLTLSRequired (true or false) and com.ibm.CSI.performTransportAssocSSLTLSSupported (true or false). To say that SSL is required indicates that every request must generate an SSL connection key. If a server does not support SSL, then the request fails. After you have enabled SSL by either supporting it or requiring it, you can enable some of the SSL features.

To enable SSL client authentication, you can configure the properties com.ibm.CSI.performTLClientAuthenticationRequired (true or false) and com.ibm.CSI.performTLClientAuthenticationSupported (true or false). (The "TL" stands for transport layer.) Again, if you say that SSL client authentication is required, then you are limited to only being able to communicate with servers which support SSL client authentication. For a server to support SSL client authentication it must have configured similar properties through the administrative console, and thus an SSL listener port is opened that can handle mutual authentication handshakes. Configuration of server properties are always done through the administrative console.

SSL client certificate authentication from a Java client is only available using the CSIv2 protocol.