Mutually authenticated SSL junctions process summary

Edit online

WebSEAL supports mutual authentication between a WebSEAL server and a back-end server over an SSL junction (–t ssl or –t sslproxy or –t mutual).

The following outline summarizes the supported functionality for mutual authentication over SSL (command options are listed where appropriate):

WebSEAL authenticates the back-end server (normal SSL process)
- WebSEAL validates the server certificate from the back-end server.
  See Validation of the back-end server certificate.
- WebSEAL verifies the distinguished name (DN) contained in the certificate (–D) (optional, but provides a higher level of security).
  See Matching the distinguished name (DN).
Back-end server authenticates WebSEAL (two methods)
- Back-end server validates client certificate from WebSEAL (–K).
  See Authentication with a client certificate.
- Back-end server validates WebSEAL identity information in a basic Authentication (BA) header (–B, –U, –W).
  See Authentication with a BA header.

The command options that control mutual authentication over SSL provide the following features:

You can specify client certificate or BA authentication method.
You can apply authentication methods on a per-junction basis.

Special considerations for combining the –b options (for handling BA information) with mutual authentication over SSL are described in Client identity information across junctions.

Mutual authentication over SSL virtual host junctions is also supported.