By following these steps, your enterprise application will prompt
the user for proof of identity with a certificate.
Before you begin
To enable client-side certificate-based authentication, you must modify
the authentication method that is defined on the Java 2 Platform, Enterprise
Edition (J2EE) Web module that you want to manage. The Web module might already
be configured to use the basic challenge authentication method. In this case,
modify the challenge type to
client certificate. This functionality
is delivered to the WebSphere Application Server administrator in
assembly tools. However, developers can use the Rational
Web Developer environment to achieve the same result.
Procedure
- Launch the assembly
tools. This step can be done either before an enterprise
application archive .ear file is deployed into WebSphere Application
Server or after deployment into the product. The latter option is discouraged
in a production environment because it involves opening the expanded archive
correlating to the enterprise application archive, found in the installedApps directory.
- Locate and expand the Web module package under an application to
enable the client-side certificate authentication method.
- Select the appropriate Web application, and switch to the Advanced tab.
Modify the authentication method to client certificate. The realm name is
the scope of the login operation and is the same for all participating resources.
- Click OK, and save the changes you made with the assembly tools.
- Stop and restart the associated application server containing the
resource, so that the security modification is included in the runtime. Complete
this action if the modification is made to a resource that already is deployed
in WebSphere Application Server.
Results
Now your enterprise application prompts the user for proof of identity
with a certificate.
The Web server must also be configured to request a
client certificate. If the Web server is external, refer to the appropriate
configuration documentation. If the Web server is the Web container transport
(for example, 9043) within WebSphere Application Server, verify that the client
authentication flag is selected in the referenced Secure Sockets Layer
(SSL) configuration.
Also, add the browser signer certificate to the
application server keystore. For a self-signed personal certificate, the
signer certificate is the public key of the personal certificate. For a certificate
authority-signed server personal certificate, the signer certificate is the
root certificate authority certificate of the certificate authority that signed
the personal certificate.