IBM Support

An IBM Worklight client cannot handle basic authentication without a WebSphere Application Server Liberty Profile fix

Troubleshooting


Problem

The IBM Worklight User Certificate Authentication feature requires the server to be configured to require a valid X.509 client certificate. The feature also requires an alternate fallback authentication mechanism when a certificate does not yet exist on the client. Current versions of the WebSphere Application Server Liberty Profile allow a basic authentication, or a HTTP 401 status code, as a fallback to authenticate a user. However, a Worklight client cannot handle this configuration.

Environment

This configuration is common when systems are required to block all access to all resources until proper authorization occurs at the application level.

Diagnosing The Problem

The Worklight User Certificate Authentication feature requires WebSphere Application Server Liberty Profile APAR PI10103 for Liberty 8.5.5.0 and Liberty 8.5.5 Fix Pack 1. 

Resolving The Problem

Liberty Profile APAR PI10103 includes support for a form-based authentication as a fallback. Form-based authentication makes it possible for the Worklight client to delegate work to the challenge handlers for a user. 

For more information, see the Form-based authentication module under Category 8, Authenticity and security in Tutorials and samples.

You can download the interim fix for Liberty Profile APAR PI10103.

[{"Product":{"code":"SSZH4A","label":"IBM Worklight"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Security","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"6.1","Edition":"Consumer;Enterprise","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
19 August 2022

UID

swg21659265

Page Feedback