Configure WebSEAL to use the certificate mapping module

Steps

1. Check the accept-client-certs entry within the [certificate] stanza. The value of this entry should be required, optional, or prompt_as_needed. This determines if and when a user is prompted to provide a client certificate by the browser.

   For more details about the different values for this entry, see Client-side certificate authentication modes.

2. Save the configuration file.
3. Restart WebSEAL to implement the updates.

• Constructing the XSLT rules file
  We can use the mapping module to define flexible rules that allow mapping of certificate attributes to a user identity. The user identity can be an ISAM user ID. For example, testuser. Alternatively, the user identity can be the user DN as found in the registry. For example, cn=testuser, o=ibm,c=au.
• Validating a successful module mapping
  To confirm a successful module mapping for users, ensure that an ISAM policy is set for a protected resource to refuse unauthenticated users and allow authenticated ones.

Parent topic: Client Certificate User Mapping