Authentication with a client certificate
Use the –K option to enable WebSEAL to authenticate to the junctioned back-end server using its client certificate.
-K "key_label" The conditions for this scenario include:
- The back-end server is set up to require verification of WebSEAL's identity with a client certificate.
- Using the LMI to create, label, and store a special key that is used solely as WebSEAL's client certificate when authenticating to a junctioned back-end server.
- For greater security, additionally configure the junction for DN matching (–D).
The –K option uses an argument that specifies the key-label of the required certificate as stored in the GSKit key database. Use the LMI to add new certificates to the key database.
You must surround the key-label argument with quotation marks.
For example:
-K "cert1_Tiv"If the key is located on cryptographic hardware, you must specify the WebSEAL token device with the key label.
-K "token_name:key-label"For example:
-K "websealtoken:junctionkey"