Enable and configuring the Certificate SSL ID cache

This configuration step applies only when delayed certificate authentication has been enabled.

To configure the cache, complete the following steps:

Steps

  1. Verify that certificate authentication is enabled.

    See Enable certificate authentication.

  2. Specify the maximum number of entries allowed in the cache. Edit the WebSEAL configuration file. In the [certificate] stanza, assign a value to cert-cache-max-entries. For example:
    [certificate]
    cert-cache-max-entries = 1024

    The value corresponds to the maximum number of concurrent certificate authentications. Default is one quarter of the default number of entries in the SSL ID cache. (Most SSL sessions do not require certificate logins or require certificate authentication only once for the session). The number of entries in the SSL ID cache is set in the [ssl] stanza. For example:

    Therefore, the default value for cert-cache-max-entries is 1024, which is one quarter of the default value for ssl-max-entries, which is 4096. Most user requests to WebSEAL occur over SSL connections, and all requests over SSL connections without certificates must check the cache. Keeping the cache size smaller can significantly improve performance.

Parent topic: Client-side certificate authentication