Authentication with a client certificate

Authentication with a client certificate

Use the -K option to enable WebSEAL to authenticate to the junctioned back-end server using its client certificate.
-K "key_label"
The conditions for this scenario include:

The back-end server is set up to require verification of WebSEAL's identity with a client certificate.
Use the LMI to create, label, and store a special key used solely as WebSEAL's client certificate when authenticating to a junctioned back-end server.
For greater security, additionally configure the junction for DN matching (-D).

The -K option uses an argument that specifies the key-label of the required certificate as stored in the GSKit key database. Use the LMI to add new certificates to the key database. We must surround the key-label argument with quotation marks. For example:
-K "cert1_Tiv"

If the key is located on cryptographic hardware, specify the WebSEAL token device with the key label.
-K "token_name:key-label"

For example:
-K "websealtoken:junctionkey"

See Configuration of the WebSEAL key database file.
Parent topic: Mutually authenticated SSL junctions