148 Certification Study Guide: IBM Tivoli Access Manager for e-business 6.0
Supporting not case-sensitive URLs
Junctioning to the Windows file systems
4.8.1 Mutually authenticated SSL junctions
If necessary, WebSEAL can authenticate itself to a junctioned server using either
server certificates or BA authentication. When using an SSL communication
channel for this junction (–t ssl or –t sslproxy), WebSEAL and the junctioned
server can also mutually authenticate each other. This is very important in order
to establish the trust relationships between WebSEAL and back-end Web
The following outline summarizes the supported functionality for mutual
authentication over SSL:
1. WebSEAL authenticates the back-end server (normal SSL process).
a. WebSEAL validates the server certificate from the back-end server.
In order to do this, WebSEAL needs to have information about the
certificate from the back-end server. WebSEAL stores all certificates into
the pdsvr.kdb database. GSKit tool can be used to manage those
certificates. Use this tool to import the Certificate Authority (CA)
certificates that form the trust chain for the application server certificate.
b. WebSEAL verifies the distinguished name (DN) contained in the
certificate. (This step is optional.)
You can enhance server-side certificate verification through distinguished
name (DN) matching. To enable server DN matching, you must specify the
back-end server DN when you create the SSL junction to that server.
Although DN matching is an optional configuration, it provides a higher
degree of security with mutual authentication over SSL junctions.
During server-side certificate verification, the DN contained in the
certificate is compared with the DN defined by the junction. The
connection to the back-end server fails if the two DNs do not match.
To enable the server DN matching, specify the back-end server DN when
you create the SSL junction using the –D option.
2. Back-end server authenticates WebSEAL (two methods).
a. Back-end server validates client certificate from WebSEAL (–K).
Use the –K option to enable WebSEAL to authenticate to the junctioned
back-end server using its client certificate. The –K option uses an