Certificate authentication across junctions

At installation, WebSEAL is configured with a non-default test certificate. The test certificate is designated as the active server-side certificate by the webseal-cert-keyfile-label stanza entry in the [ssl] stanza of the WebSEAL configuration file.

If a junctioned back-end application server requires WebSEAL to identify itself with a client-side certificate, we must first create, install, and label this certificate using the Local Management Interface (LMI). Then, configure the junction using the -K key-label option. See Mutually authenticated SSL junctions.

If the junction is not configured with -K, GSKit handles a request for mutual authentication by automatically sending the “default” certificate contained in the keyfile database. If this is not the required response, we must ensure there are no certificates marked as "default" (an asterisk mark) in the keyfile database (pdsrv.kdb, or the junctions keyfile, if a separate junction keyfile is configured). In summary:

• Identify all required certificates by label name.
• Do not mark any certificate in the keyfile database as "default".
• Control the WebSEAL server-side certificate response with the webseal-cert-keyfile-label stanza entry.
• Control the WebSEAL client-side certificate response through the -K junction option.

Parent topic: Technical notes for using WebSEAL junctions