Configuring EAI certificate authentication

Edit online

To configure the external authentication mechanism complete the following steps.

Procedure

  1. Verify that certificate authentication is enabled. See Enabling certificate authentication.
  2. In the [certificate] stanza, specify the URI which is invoked to perform the authentication as the value for the eai-uri stanza entry. This URI must be relative to the root web space of the WebSEAL server. See the Web Reverse Proxy Stanza Reference in the IBM Knowledge Center.
  3. In the [certificate] stanza, specify the client certificate data elements that is passed to the EAI application, as the value for the eai-data stanza entry. This must be of the form eai-data = data: header_name. Multiple pieces of client certificate data can be passed to the EAI application by including multiple eai-data configuration entries. For details, see the Web Reverse Proxy Stanza Reference in the IBM Knowledge Center.

What to do next

For more information on the EAI protocol, see the following sections:

  1. HTTP header names for authentication data
  2. Extracting authentication data from special HTTP headers
  3. How to generate the credential
  4. How to write an external authentication application
    Note: When using an external application to authenticate the client certificate, multi-step authentications are not allowed, and the external authentication application does not need to be available to unauthenticated users.
  5. External authentication interface HTTP header reference
  6. Post-authentication redirection with external authentication interface
  7. Session handling with external authentication interface
  8. Authentication strength level with external authentication interface
  9. Reauthentication with external authentication interface
  10. Setting a client-specific session cache entry lifetime value
  11. Setting a client-specific session cache entry inactivity timeout value