Configuring certificates for one-way SSL authentication

In this configuration, the Identity server and the adapter use SSL.

About this task

Client authentication is not set on either application. The Identity server operates as the SSL client and initiates the connection. The adapter operates as the SSL server and responds by sending its signed certificate to the Identity server. The Identity server uses the installed CA certificate to validate the certificate that is sent by the adapter.

In Figure 1, Application A operates as the Identity server, and Application B operates as the IBM Security Verify Adapter.
Figure 1. One-way SSL authentication (server authentication)
One-way SSL authentication: The server validates the certificate of the adapter. The adapter does not authenticate the server.

To configure one-way SSL, do the following tasks for each application:

Procedure

  1. On the adapter, configure a KEYRING and certificate as described in the samples in Reference.complete these steps:
    1. Start the certTool utility.
    2. Configure the SSL-server application with a signed certificate issued by a certificate authority.
      1. Create a certificate signing request (CSR) and private key. This step creates the certificate with an embedded public key and a separate private key and places the private key in the PENDING_KEY registry value.
      2. Submit the CSR to the certificate authority by using the instructions that are supplied by the CA. When you submit the CSR, specify that you want the root CA certificate that is returned with the server certificate.
  2. On the Identity server, complete one of these steps:
    • If you used a signed certificate that is issued by a well-known CA:
      1. Ensure that the Identity server stored the root certificate of the CA (CA certificate) in its keystore. See https://www-01.ibm.com/support/docview.wss?uid=ibm10713583.
      2. If the keystore does not contain the CA certificate, extract the CA certificate from the adapter and add it to the keystore of the server.
    • If you generated the self-signed certificate on the Identity server, the certificate is installed and requires no additional steps.
    • If you generated the self-signed certificate with the key management utility of another application:
      1. Extract the certificate from the keystore of that application.
      2. Add it to the keystore of the Identity server.