Client-side and server-side certificate concepts
This section describes the administration and configuration tasks required to set up WebSEAL to handle client-side and server-side digital certificates used for authentication over SSL.
WebSEAL requires certificates for the following situations:
- WebSEAL identifies itself to SSL clients with its server-side certificate
- WebSEAL identifies itself to a junctioned back-end server (configured for mutual authentication) with a client-side certificate
- WebSEAL refers to its database of Certificate Authority (CA) root certificates to validate clients accessing with client-side certificates
- WebSEAL refers to its database of Certificate Authority (CA) root certificates to validate junctioned back-end servers
WebSEAL uses the IBM® Global Security Kit (GSKit) implementation of SSL to configure and administer digital certificates. The appliance provides the LMI to set up and manage the certificate key database. This database contains one or more WebSEAL server/client certificates and the CA root certificates.
WebSEAL includes the following components at installation to support
SSL authentication using digital certificates:
- A default key database (
pdsrv.kdb) - A default key database stash file (
pdsrv.sth) and password ("pdsrv") - Several common CA root certificates
- A self-signed test certificate that WebSEAL can use to identify
itself to SSL clients
Before using WebSEAL in a production environment, apply for a commonly recognized certificate from a known Certificate Authority to use instead of this test certificate.