Configuring certificates for two-way SSL authentication

In this configuration, the Identity server and the adapter use SSL.

Before you begin

Configure the adapter and the Identity server for one-way SSL authentication.

If you use signed certificates from a CA:
  • The CA provides a configured adapter with a private key and a signed certificate.
  • The signed certificate of the adapter provides the CA certification for the Identity server.

About this task

The adapter uses client authentication. After the adapter sends its certificate to the server, the adapter requests identity verification from the server. The server sends its signed certificate to the adapter. Both applications are configured with signed certificates and corresponding CA certificates.

In Figure 1, the Identity server operates as Application A and the IBM Security Verify Adapter operates as Application B.
Figure 1. Two-way SSL authentication (client authentication)
Two-way SSL authentication

Procedure

  1. On the Identity server, complete these steps:
    1. Create a CSR and private key.
    2. Obtain a certificate from a CA.
    3. Install the CA certificate.
    4. Install the newly signed certificate.
    5. Extract the CA certificate to a temporary file.
  2. On the adapter, add the CA certificate that was extracted from the keystore of the Identity server to the adapter.

Results

After you configure the two-way certificate, each application has its own certificate and private key. Each application also has the certificate of the CA that issued the certificates.