Mutually authenticated SSL junctions process summary

WebSEAL supports mutual authentication between a WebSEAL server and a back-end server over an SSL junction (-t ssl or -t sslproxy or -t mutual).

The following outline summarizes the supported functionality for mutual authentication over SSL:

1. WebSEAL authenticates the back-end server (normal SSL process)
   • WebSEAL validates the server certificate from the back-end server.
   • WebSEAL verifies the distinguished name (DN) contained in the certificate (-D) (optional, but provides a higher level of security).

2. Back-end server authenticates WebSEAL (two methods)
   • Back-end server validates client certificate from WebSEAL (-K).
   • Back-end server validates WebSEAL identity information in a Basic Authentication (BA) header (-B, -U, -W).

The command options that control mutual authentication over SSL provide the following features:

• We can specify client certificate or BA authentication method.
• We can apply authentication methods on a per-junction basis.

Special considerations for combining the -b options (for handling BA information) with mutual authentication over SSL are described in Client identity information across junctions.

Mutual authentication over SSL virtual host junctions is also supported.

Parent topic: Mutually authenticated SSL junctions