Configure SSL for Web servers

Configure SSL for the Web server depends on the type of Web server. Consult your Web server documentation for instructions.

Generally speaking, when SSL is enabled, an SSL key file is required. This key file should contain both the CA certificates (signer certificates) as well as any client or server certificates. Client authentication can also be enabled; by default, it is disabled.

When SSL client authentication is enabled in the Web server, the client certificate (the certificate from the browser) is forwarded by the WebSphere Web server plug-in to WebSphere Application Server. When application deployment descriptors specify that client certificate authentication method is used, the application server accepts the forwarded certificate as authentication credentials if the distinguished name attribute of the certificate can be mapped to a principal in the user registry. For more information about mapping client certificates, see Configure LDAP search filters.

Note: The client certificate is forwarded to the application server, regardless of whether SSL is enabled on the plug-in transport. Because SSL authentication of the browser client certificate actually occurs in the Web server, it is strongly recommended that you configure SSL in the plug-in transport. This requires client authentication of the plugin itself when application deployment descriptors specify the use of the client certificate authentication method, and thus, the possibility of receiving a client certificate from an untrusted source is eliminated. For more information about configuring the plug-in transport to require SSL client authentication, see "Configuring SSL for the application server's HTTPS transport" in Configure SSL for WebSphere Application Server.