Setting preferences for client certificate authentication

Use the Client Certificates preference page to specify preferences for client certificate authentication.

About this task

With client certificate authentication, you can authenticate with remote systems by using a security device such as an integrated circuit card (like a smart card). Wazi Developer for Eclipse relies on the Java™ Cryptographic Service Provider (Java CSP) for the retrieval of the certificates. The certificates are used solely for client certificate authentication. All updates to the certificates are outside the scope of Wazi Developer for Eclipse.

Procedure

To set up client certificates on your workstation:

  1. Specify values for these fields:
    Java Cryptography Extension (JCE) provider
    Specify the name of the security provider as provided by the vendor that supplies the cryptography software that is used to access the certificates.
    Keystore type
    Specify the keystore type that the Java CSP uses for retrieving the certificates that are stored in the Microsoft Cryptography API (MS-CAPI) keystore. Use the name of the keystore that the security provider gives.
    hostIdMappings object identifier (OID)
    Specify the hostIdMappings OID. Do not change the value that is specified on the preferences page from the default value of 1.3.18.0.2.18.1 unless instructed otherwise by the systems administrator. The hostIdMappings extension (Object Identifier 1 3 18 0 2 18 1) is an IBM® extension that is also available for public use. The security software on the remote system (such as RACF®) automatically maps a valid certificate to the RACF user ID that is provided in the extension. Changing this value might cause the certificate authentication to fail.
  2. To ensure that each keystore has a unique alias, select the Ensure unique aliases check box.
    Note: Select this option only when you are using the Sun MSCAPI Java Cryptography Extension (JCE) Provider and only when the aliases are not unique. Do not select this option for other JCE providers.
  3. To filter certificates by key usage, select one or more of these check boxes that are listed under Certificate key usage:
    • Digital signature
    • Non-repudiation
    • Key encipherment
    • Data encipherment
    • Key agreement
    • Certificate signing
    • CRL Signing
    • Encipher only
    • Decipher only
    For information about the types of key usage, see Key usage extensions and extended key usage.
    Tip: You can filter by key usage alone or combined with filtering by hostIdMappings OID.