GitHubContribute in GitHub: Open doc issue|Edit online

SSL-based authentication

You can use the two-stage verification of the client's credentials through the SSL-based authentication.

This is the only authentication mechanism available in IBM® Security Verify Directory Integrator 6.0. SSL-based authentication is based on a two-stage verification of the client's credentials.

  1. First the IBM® Security Verify Directory Integrator server verifies that a client (represented by its SSL certificate) has the right to access the IBM® Security Verify Directory Integrator server by checking whether the client's SSL certificate is contained in the IBM® Security Verify Directory Integrator server's truststore, that is, checks whether the IBM® Security Verify Directory Integrator server trusts this client. Checking whether the client's certificate is contained in the server's truststore is part of the SSL handshake sequence.

    Attention: A client certificate example, corresponding to the Server certificate example in file testserver.jks is provided in file serverapi/testadmin.jks; the certificate's password is "administrator". As with all default security parameters you should not rely upon these and generate your own client/server certificates and specify these in the properties files. See Certificates for the IBM® Security Verify Directory Integrator Web service Suite.

    The truststore is kept in the file indicated by the api.truststore property.

  2. If the truststore check is successful then the server verifies that the client SSL certificate distinguished name (DN) matches a user ID in the Server API User Registry. If the client certificate's DN does not match any of the user IDs in the Server API User registry file the connection request from the client is denied. This second step could be regarded as part of the authorization sequence as well.

The SSL-based authentication mechanism can be turned off in IBM® Security Verify Directory Integrator. An additional property is available in the IBM® Security Verify Directory Integrator Server configuration file

global.properties or solution.properties:

api.remote.ssl.client.auth.on. When this property is set to "true", the IBM® Security Verify Directory Integrator Server requires client authentication within the SSL handshake (the IBM® Security Verify Directory Integrator 6.0 mechanism for SSL-based authentication). SSL client authentication for IBM® Security Verify Directory Integrator Server API does not depend on whether a username and password pair is supplied. This means that if no username and password pair is supplied, the IBM® Security Verify Directory Integrator 6.0 mechanism for SSL-based authentication is used. And if a username and password pair is supplied then the client still needs to send its SSL certificate for authentication, but the User ID for authentication (and at a later step authorization) is taken from the username supplied.

When api.remote.ssl.client.auth.on is set to "false", SSL-based authentication cannot be used. When the property is not specified a value of "false" is assumed.