Configure EAI certificate authentication
To configure the external authentication mechanism complete the following steps.
Steps
- Verify that certificate authentication is enabled. See Enable certificate authentication.
- In the [certificate] stanza, specify the URI which is invoked to perform the authentication as the value for the eai-uri stanza entry. This URI must be relative to the root web space of the WebSEAL server. See the web reverse proxy Stanza Reference in the IBM Knowledge Center.
- In the [certificate] stanza, specify the client certificate data elements passed to the EAI application, as the value for the eai-data stanza entry. This must be of the form eai-data = data: header_name. Multiple pieces of client certificate data can be passed to the EAI application by including multiple eai-data configuration entries. For details, see the web reverse proxy Stanza Reference in the IBM Knowledge Center.
What to do next
For information on the EAI protocol, see the following sections:
- HTTP header names for authentication data
- Extracting authentication data from special HTTP headers
- How to generate the credential
- How to write an external authentication application When using an external application to authenticate the client certificate, multi-step authentications are not allowed, and the external authentication application does not need to be available to unauthenticated users.
- External authentication interface HTTP header reference
- Post-authentication redirection with external authentication interface
- Session handling with external authentication interface
- Authentication strength level with external authentication interface
- Reauthentication with external authentication interface
- Set a client-specific session cache entry lifetime value
- Set a client-specific session cache entry inactivity timeout value
Parent topic: EAI certificate authentication