background image

Enabling Mutual Authentication over SSL

<< Miscellaneous Commands for Certificates | SSL handshake >>
<< Miscellaneous Commands for Certificates | SSL handshake >>

Enabling Mutual Authentication over SSL

Enabling Mutual Authentication over SSL
This section discusses setting up client-side authentication. When both server-side and
client-side authentication are enabled, it is called mutual, or two-way, authentication. In client
authentication, clients are required to submit certificates that are issued by a certificate
authority that you choose to accept.
There are at least two ways to enable mutual authentication over SSL:
The preferred method is to set the method of authentication in the web.xml application
deployment descriptor to CLIENT-CERT. This enforces mutual authentication by modifying
the deployment descriptor of the given application. By enabling client authentication in this
way, client authentication is enabled only for a specific resource controlled by the security
constraint, and the check is only performed when the application requires client
authentication.
A less commonly used method is to set the clientAuth property in the certificate realm
to true if you want the SSL stack to require a valid certificate chain from the client before
accepting a connection. A false value (which is the default) will not require a certificate
chain unless the client requests a resource protected by a security constraint that uses
CLIENT-CERT
authentication. When you enable client authentication by setting the
clientAuth
property to true, client authentication will be required for all the requests
going through the specified SSL port. If you turn clientAuth on, it is on all of the time,
which can severely degrade performance.
When client authentication is enabled in both of these ways, client authentication will be
performed twice.
Creating a Client Certificate for Mutual Authentication
If you have a certificate signed by a trusted Certificate Authority (CA) such as Verisign, and the
Application Server cacerts.jks file already contains a certificate verified by that CA, you do
not need to complete this step. You only need to install your certificate in the Application Server
certificate file when your certificate is self-signed.
From the directory where you want to create the client certificate, run keytool as outlined here.
When you press Enter, keytool prompts you to enter the server name, organizational unit,
organization, locality, state, and country code.
You must enter the server name in response to keytool's first prompt, in which it asks for first
and last names. For testing purposes, this can be localhost. The host specified in the keystore
must match the host identified in the javee.server.host variable specified in your
tut-install/javaeetutorial5/examples/bp-project/build.properties file. If this example
is to verify mutual authentication and you receive a runtime error stating that the HTTPS host
name is wrong, re-create the client certificate, being sure to use the same host name that you will
use when running the example. For example, if your machine name is duke, then enter duke as
the certificate CN or when prompted for first and last names. When accessing the application,
Establishing a Secure Connection Using SSL
Chapter 28 · Introduction to Security in the Java EE Platform
793