Configuring SSL for two-way SSL communication

Use two-way SSL communication when the client must authenticate the server and the server must authenticate the client.

Before you begin

This procedure requires you to use the following tasks:

About this task

Two-way authentication requires a truststore and a keystore on both the client and the server. In this example, CA certificate "A" exists in the truststore and a CA certificate "B" in the keystore of the client. CA certificate "B" exists in the truststore and a CA certificate "A" in the keystore of the server. The client sends a request to the SSL server. The SSL server sends Certificate A from the keystore to the client. The client validates Certificate A against the certificates that are contained in the truststore.

If the certificate is found in the truststore, the client accepts communication from the SSL server. The server sends an authentication request to the client. The client sends Certificate B from the keystore to the server. The server validates Certificate B against the certificates that are contained in the truststore. If the certificate is found in the truststore, the server accepts communication from the client.

The following figure describes SSL configuration for two-way SSL communication.
Figure 1. Two-way SSL communication (client communication)
Two-way SSL communication
Note: IBM Security Identity server uses the existing truststore and keystore of theWebSphere Application Server.

Procedure

To configure two-way SSL, do the following tasks:

  1. Create a keystore for the Security Directory Integrator server.
  2. Create a truststore for the Security Directory Integrator server. Do not do this task if you use the same file for keystore and truststore.
  3. Create a server-signed certificate for the Security Directory Integrator server.
  4. Create a CA certificate for the Security Directory Integrator server.
  5. Import the Security Directory Integrator CA certificate in the WebSphere Application Server truststore.
    Note: You can modify the solution.properties file for steps 6, 7, and 8 in a single operation. When you do so, do not stop and restart the adapter service at the end of steps 6 and 7.
  6. Configure the Security Directory Integrator to use keystores.
  7. Configure the Security Directory Integrator to use truststores.
  8. Enable the adapter service to use SSL.
  9. Create a certificate for the IBM Security Identity server.
  10. Create a CA certificate for IBM Security Identity server.
  11. Import the WebSphere Application Server CA Certificate in Security Directory Integrator truststore.
  12. Stop and restart the adapter service.
  13. Stop and restart WebSphere Application Server.