Configuring certificate and smart card authentication

You can configure the IBM® Engineering Lifecycle Management applications to authenticate through client certificate (.p12). Certificate authentication is more secure than BASIC and FORM-based authentication. Certificate authentication uses HTTP over SSL in which authentication is done by using a public key certificate that is issued by a trusted organization that is known as a certificate authority.

While a certificate file and a smart card are different, conceptually they are both certificates that are used for authentication. For a smart card, the certificate that is used for authentication resides within the smart card.

Engineering Lifecycle Management can be deployed on IBM WebSphere Liberty and both of these application servers can be configured to authenticate through certificates.

We introduced Jazz Security Architecture SSO in 6.0, which is an authentication protocol based on the OpenID Connect standard. When configured with the Jazz Security Architecture, the Engineering Lifecycle Management applications delegate the authentication to a Jazz Authorization Server. Jazz Authorization Server is based on WebSphere® Liberty server and it can be configured to authenticate through certificates as well.

At a high level, the following are the components for configuring client certificate authentication:

  1. For the application server that is hosting Engineering Lifecycle Management applications:
    1. Configure application server to accept client certificates.
    2. Configure certificates, the defaultKeyStore, and the defaultTrustStore.
    3. Configure the application server to map incoming certificates to users in the registry.
  2. Configure Engineering Lifecycle Management applications or Jazz Authorization Server to support certificate-based authentication.
  3. Configure application clients to authenticate through user certificates.

Depending on what application server you plan to deploy, use the instructions from the following sections: