Configuring SSL client authentication (optional)

To complete this task you use ikeyman to create a client certificate and export the client certificate. You then use ikeyman to import the certificate into the server keyring.

ikeyman is installed in:

SSL client authentication is an option that provides extra security by determining which client applications are allowed to connect to the Gateway daemon. This builds on the security provided by SSL server authentication.

If the SSL handler used by the CICS Transaction Gateway is configured to support server but not client authentication, you do not need to create a client certificate as described here because the client keyring requires just the signer certificate of the server, which you have already imported.

Create a client certificate

For client authentication to occur, the client keyring must contain a self-signed certificate that is used for identifying the connecting client to the server.

  1. Start ikeyman.
  2. On the certificates menu, click Personal Certificates.
  3. Click Create > New Self-Signed Certificate.
  4. In the Create New Self-Signed Certificate window, complete the following steps:
    1. In the Key label field, type exampleclientcert.
    2. On the Version menu, select X509 V3.
    3. On the Key size menu, select 1024.

      The Common name defaults to the name of the machine you are using, and the Validity period defaults to 365 days.

  5. Click OK.

    ikeyman now generates a public/private key pair, and an entry for the exampleclientcert certificate you have just created appears in the Personal Certificates window.

Export the client signer certificate

  1. In the certificate list, select exampleclientcert and click Extract Certificate.
  2. On the Data type menu, select Base64-encoded ASCII.
  3. In the Certificate file name field, type the name of the text file containing the client certificate exampleclientcert.arm.
  4. Click OK.

The exported certificate is a signer certificate generated from the personal certificate in the keyring, it does not contain the private key. Import it into the keyring of all servers that need to communicate with the SSL client. This certificate allows the server to verify the identity of the client.

Import the client signer certificate

  1. On the ikeyman main menu click Key Database File > Open.
  2. Select MyServer.jks.
  3. In the Signer Certificates view, select Add.
  4. Locate the stored Server Base64-encoded ASCII certificate file exampleclientcert.arm.
  5. Click OK.
  6. Give this signer certificate the unique label my self-signed client certificate.
  7. Select OK.

The new signer certificate is added to the list in the Signer Certificates view, and can now be used by the server to verify the identity of the client application.


Information Information

Feedback


Timestamp icon Last updated: Tuesday, 19 November 2013


https://ut-ilnx-r4.hursley.ibm.com/tg_latest/help/topic/com.ibm.cics.tg.doc//ctgunx/sc06_conf_client.html