Client-side and server-side certificate concepts

This section describes the administration and configuration tasks required to set up WebSEAL to handle client-side and server-side digital certificates used for authentication over SSL. WebSEAL requires certificates for the following situations:

• WebSEAL identifies itself to SSL clients with its server-side certificate

• WebSEAL identifies itself to a junctioned back-end server (configured for mutual authentication) with a client-side certificate

• WebSEAL refers to its database of Certificate Authority (CA) root certificates to validate clients accessing with client-side certificates

• WebSEAL refers to its database of Certificate Authority (CA) root certificates to validate junctioned back-end servers

WebSEAL uses the IBM Global Security Kit (GSKit) implementation of SSL to configure and administer digital certificates. The appliance provides the LMI to set up and manage the certificate key database. This database contains one or more WebSEAL server/client certificates and the CA root certificates. WebSEAL includes the following components at installation to support SSL authentication using digital certificates:

• A default key database (pdsrv.kdb)
• A default key database stash file (pdsrv.sth) and password ("pdsrv")
• Several common CA root certificates
• A self-signed test certificate that WebSEAL can use to identify itself to SSL clients

  Before using WebSEAL in a production environment, apply for a commonly recognized certificate from a known Certificate Authority to use instead of this test certificate.

Parent topic: Key management

Related concepts

• Key management overview
• Key management in the Local Management Interface
• Configuration of the WebSEAL key database file
• Certificate revocation in WebSEAL
• CRL distribution points
• Configuration of the CRL cache
• Use of the WebSEAL test certificate for SSL connections