652 IBM WebSphere Host Publisher Version 3.5
The SSL timeout directives can be used to cache the SSL session IDs. Caching
SSL session IDs reduces the expense of repeating SSL handshaking.
WebSphere Application Server (WAS) configuration
For our sample scenario, basic configuration will be used; for further information
about security with the IBM WebSphere Application Server, see the WAS online
documentation provided with the product.
Be sure that IBM WebSphere Application Server and its administration console
are up and running.
On the administration console click default_host, select the Advanced panel on
the right, scroll down the Aliases section and add an alias like <server>:443.
Where <server> must be the same server name contained on the Web Server’s
certificate.
20.4 SSL client authentication
Client authentication is an option supported by SSL Version 3.0. It is not
commonly used unless there is a particular reason to. It basically verifies the
client (browser) certificate before allowing the client to connect to the server. A
client certificate is a binary file that has the information about its owner in X.509
certificate format.
The need for client authentication and the level of identification depends greatly
on the needs of Web site owners. For example, the owner of a Web site that
needs to be very certain about the identity of the individuals who have access to
the Web page might choose to run his/her own CA software and issue the
certificates according to his/her own policies. A financial institute would probably
require application in person and a handwritten signature before it issues a
certificate to the customer.
Note: The httpd.conf.sample.ssl file that ships with the SSL module of the IBM
HTTP Server contains a wealth of information in the form of comments that
further explain how to set up SSL, including client authentication.
Chapter 20. Securing sessions 653
Figure 20-17 Client authentication can be optionally used when using SSL Version 3.0
SSL client authentication should only be used if specifically required for special
cases (that is, when enabling the Express Logon Feature).
IBM HTTP Server has three levels of SSL client authentication:
Required: If used, the IBM HTTP Server will limit access to users with
certificates that are signed by a trusted CA and valid.
Optional: The optional value causes the IBM HTTP Server to ask for the client
certificate, but it is not necessarily required. The level of access will depend
on having the certificate.
None: No client certificate is needed to access the server (default).
Note: The Web server accepts the client certificate only if it is signed by a CA
whose root key is marked as a trusted root in the server’s key database. The
CA’s root key is marked trusted when the certificate is listed under the signer
certificates.
CERTIFICATE
CERTIFICATE
AUTHORITY
AUTHORITY
Digital
Passport
Verifies certificates...
Server Authentication:
Client authenticates
the server identity.
Client Authentication:
Server authenticates the
client identity.
Identity verified by
contacting the certificate
authority.
Web
Server
Internet
Web
Browser
Owner:
Amir
Issued by:
Verisign
Owner:
IBM Server
IBM Corp.
Issued by:
Verisign
Client identity
authenticated
Server identity
authenticated
Get A Comprehensive Guide to IBM WebSphere Host Publisher Version 3.5 now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
