Configuring client authentication with iKeyman

You configure client authentication by creating a client certificate and exporting the client's signer certificate.

Creating a client certificate

If the SSL handler used by the CICS Transaction Gateway is configured to support just server authentication, you do not have to create a client certificate as described here because the client key ring needs to contain just the signer certificate of the server, which you have just imported. You can use the generated MyClient key ring.jks file with CICS Transaction Gateway's SSL protocol, which is configured to support server authentication.

Client authentication requires the client key ring also to contain a self-signed Certificate that is used to identify the connecting client.

  1. In iKeyMan, select Personal Certificates from the pull-down menu below the Key database content label.
  2. Select New Self-Signed...
  3. Complete the certificate request. Some fields are optional, but you must fill in at least the following (examples are shown):
    Key Label
    exampleClientCert
    Version
    Select X509 V3
    Key Size
    Select 1024
    Common Name
    This defaults to the name of the machine you are using
    Organization
    The name of your organization
    Country
    Select a two character ID from the list
    Validity Period
    The default is 365 days
  4. Select OK.

iKeyMan generates a public/private key pair.

The self-signed Client Certificate appears in the Personal Certificates window. The certificate has the name you typed in the Key Label field, in this example exampleClientCert

Exporting the client's signer certificate

  1. With exampleClientCert highlighted, select Extract Certificate...
  2. In the Data type pull-down, select Base64-encoded ASCII
  3. Type the name and location of the text file containing your Server Certificate data. Our example uses exampleClientcert.arm
  4. Select OK.

Store the exported certificate in a safe place. It must be imported into any server repository that needs to communicate with this SSL client.


Information Information

Feedback


Timestamp icon Last updated: Tuesday, 19 November 2013


https://ut-ilnx-r4.hursley.ibm.com/tg_latest/help/topic/com.ibm.cics.tg.doc//ctgunx/sslcli_jsse_ss.html