Configure SSL for Java client authentication

WebSphere Application Server supports Java client authentication using a digital certificate when the client attempts to make a Secure Sockets Layer (SSL) connection.

A secure client connects to a secure Internet InterORB Protocol (IIOP) server that requires client authentication at the transport layer. The authentication occurs during an SSL handshake. The SSL handshake is a series of messages exchanged over the SSL protocol to negotiate for connection-specific protection. During the handshake, the secure server requests the client to send back a certificate or certificate chain for the authentication.

For more information, see SSL client certificate authentication (transport layer authentication).

Before you configure SSL for Java client authentication, consider the following questions:

• Have you enabled security in your WebSphere Application Server instance? See Configure global security for more information.
• Have you configured CSI authentication protocol for your target application server? See Configure global security for more information. Note that the Security Authentication Service (SAS) authentication protocol does not support Java client authentication over the SSL transport.
• Have you configured your server to support secure transport for the inbound CSI authentication protocol?
• Have you configured your server to support client authentication at the transport layer for the inbound CSI authentication protocol?
• If you are using a self-signed personal certificate, have you exported the public certificate from your client application Java keystore file or cryptographic token device?
• If you are using a personal certificate that is signed by a certificate authority (CA), have you received the root certificate of the CA?
• If you are using a self-signed personal certificate, have you imported the public certificate into your target Java truststore file as a signer certificate?
• If you are using a CA-signed (certificate authority) personal certificate, have you imported the CA root certificate into your target Java trustStore file as a signer certificate?
• Does the common name (CN) that is specified in your personal certificate name exist in your configured user registry?

If you answer "Yes" to all these questions, you are ready to configure SSL for Java client authentication.

Note: Java client authentication using digital certificates is supported only by the Common Secure Interoperability Version 2 (CSIv2) authentication protocol.

To configure SSL for Java client authentication, perform the following steps:

1. Configure CSIv2 for SSL client authentication.
2. Add a keystore file to your configuration.
3. Add a truststore file to your configuration.
4. Stop and then restart the server.

If a connection problem occurs, set the Java property, javax.net.debug, to true before you run your client or your server to generate debugging information.