Scenario: Using certificates for internal authentication

In this scenario, you learn how to use certificates as an authentication mechanism to protect and restrict which resources and applications that internal users can access on your internal servers.


You are the network administrator for a company (MyCo, Inc.) whose human resource department is concerned with such issues as legal matters and privacy of records. Company employees have requested that they be able to access their personal benefits and health care information online. The company has responded to this request by creating an internal Web site to provide this information to employees. You are responsible for administering this internal Web site, which runs on the IBM® HTTP Server for i (powered by Apache).

Because employees are located in two geographically separate offices and some employees travel frequently, you are concerned about keeping this information private as it travels across the Internet. Also, you traditionally authenticate users by means of a user name and password to limit access to company data. Because of the sensitive and private nature of this data, you realize that limiting access to it based on password authentication may not be sufficient. After all, people can share, forget, and even steal passwords.

After some research, you decide that using digital certificates can provide you with the security that you need. Using certificates allows you to use Transport Layer Security (TLS) to protect the transmission of the data. Additionally, you can use certificates instead of passwords to more securely authenticate users and limit the human resource information that they can access.

Therefore, you decide to set up a private local Certificate Authority (CA) and issue certificates to all employees and have the employees associate their certificates with their IBM i user profiles. This type of private certificate implementation allows you to more tightly control access to sensitive data, as well as control the privacy of the data by using TLS. Ultimately, by issuing certificates yourself, you have increased the probability that your data remains secure and is accessible only to specific individuals.

Scenario advantages

This scenario has the following advantages:

  • Using digital certificates to configure TLS access to your human resource Web server ensures that the information transmitted between the server and client is protected and private.
  • Using digital certificates for client authentication provides a more secure method of identifying authorized users.
  • Using private digital certificates to authenticate users to your applications and data is a practical choice under these or similar conditions:
    • You require a high degree of security, especially in regards to authenticating users.
    • You trust the individuals to whom you issue certificates.
    • Your users already have IBM i user profiles for controlling their access to applications and data.
    • You want to operate your own Certificate Authority (CA).
  • Using private certificates for client authentication allows you to more easily associate the certificate with the authorized user's IBM i user profile. This association of certificate with a user profile allows the HTTP Server to determine the certificate owner's user profile during authentication. The HTTP Server can then swap to it and run under that user profile or perform actions for that user based on information in the user profile.


In this scenario, MyCo, Inc. wants to use digital certificates to protect the sensitive personal information that their internal human resources Web site provides to company employees. The company also wants a more secure method of authenticating those users who are allowed to access this Web site.

The objectives of this scenario are as follows:
  • Company internal human resources Web site must use TLS to protect the privacy of the data that it provides to users.
  • TLS configuration must be accomplished with private certificates from an internal local Certificate Authority (CA).
  • Authorized users must provide a valid certificate to access the human resources Web site in TLS mode.


The following figure illustrates the network configuration for this scenario:

Fig. 2 TLS communications between System A and company external and internal clients (text description follows figure)

The figure illustrates the following information about the situation for this scenario:

Company public server – System A
  • System A is the server that hosts the company's rate calculating application.
  • System A runs IBM i Version 5 Release 4 (V5R4), or later.
  • System A has Digital Certificate Manager and IBM HTTP Server for i installed and configured.
  • System A runs the rate calculating application, which is configured such that it:
    • Requires TLS mode.
    • Uses a public certificate from a well-known Certificate Authority (CA) to authenticate itself to initialize a TLS session.
    • Requires user authentication by user name and password.
  • System A presents its certificate to initiate a TLS session when Clients B and C access the rate calculating application.
  • After initializing the TLS session, System A requests that Clients B and C provide a valid user name and password before allowing access to the rate calculating application.
Agent client systems – Client B and Client C
  • Clients B and C are independent agents who access the rate calculating application.
  • Clients B and C client software has an installed copy of the well-known CA certificate that issued the application certificate.
  • Clients B and C access the rate calculating application on System A, which presents its certificate to their client software to authenticate its identity and initiate a TLS session.
  • Client software on Clients B and C is configured to accept the certificate from System A for the purpose of initializing a TLS session.
  • After the TLS session begins, Clients B and C must provide a valid user name and password before System A grants access to the application.

Prerequisites and assumptions

This scenario depends on the following prerequisites and assumptions:

  • The IBM HTTP Server for i (powered by Apache) runs the human resource application on System A. This scenario does not provide specific instructions for configuring the HTTP Server to use TLS. This scenario provides instructions for configuring and managing the certificates that are necessary for any application to use TLS.
  • The HTTP Server provides the capability of requiring certificates for client authentication. This scenario provides instructions for using DCM to configure the certificate management requirements for this scenario. However, this scenario does not provide the specific configuration steps for configuring certificate client authentication for the HTTP Server.
  • The human resources HTTP Server on System A already uses password authentication.
  • System A meets the requirements for installing and using DCM.
  • No one has previously configured or used DCM on System A.
  • Whoever uses DCM to perform the tasks in this scenario must have *SECADM and *ALLOBJ special authorities for their user profile.
  • System A does not have an IBM Cryptographic Coprocessor installed.

Configuration tasks