j2ee client-auth support in websphere application server 6.1

Question

I am trying to set up web client certificate based authentication. Here is my scenario:- I have websphere application server 6.1. I have internet explorer as web client. I have imported a certificate in internet explorer by option->content tab->certificate->import.

In WAS6.1, I have marked SSL enabled and global security enabled. I have specified "Client authentication=supported" under SSL certificate and key management > SSL configurations > NodeDefaultSSLSettings > Quality of protection (QoP) settings" in WAS console.

In my web application, I have specified following in web.xml:-

    <user-data-constraint>
    <transport-guarantee>INTEGRAL</transport-guarantee>
    </user-data-constraint>
    </security-constraint>
...

<login-config>
    <auth-method>CLIENT-CERT</auth-method>
    <realm-name>your-0548c161e1Node01</realm-name>
    </login-config>

When I deployed application and hit a protected resource URL, I was expecting that WAS will ask for client certificate after presenting server certificate; but instead I get http error code 403. I see following error in system out log:- WebCollaborat A SECJ0056E: Authentication failed for reason

I am hitting app URL like :- https://localhost:9443/app/a.do

My questions are:- i) Does WAS 6.1 support client-auth ? ii)If so, should not WAS should prompt for client certificate in above scneario. iii) Even if it didn't, should not I see SSL handshake failures in logs?

Answer 1

Client authentication of supported implies it might still succeed.

If you want to mandate a certificate from the client you should be specifying "required".

WAS does support client authentication.

http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/topic/com.ibm.websphere.base.doc/info/aes/ae/usec_sslqualprotect.html

Here is a snip for your quick reference

http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/topic/com.ibm.websphere.base.doc/info/aes/ae/usec_sslqualprotect.html

HTH

Manglu