Using X.509 Client Certificates on the AS
Java
Use
In addition to using SSL for encrypting connections, you can use SSL and X.509 client certificates for authenticating client or user access requests for AS Java applications.
When using client certificates, authentication takes places transparently for the user with the underlying SSL security protocol. Therefore, you can use authentication with client certificates to integrate the AS Java in a Single Sign-On environment.
Integration
Public-Key Infrastructure / Trust Center Services
Users need to receive their client certificates from a Certification Authority (CA) as part of a public-key infrastructure (PKI). If you do not have an established PKI then you can use a Trust Center Service to obtain certificates.
For more
information about PKI, see
Public-Key
Technology.
SSL
When using client certificates, users are authenticated at the communication protocol level using the SSL protocol. Therefore, configuring the use of SSL is necessary for the connections where user authentication takes place. The AS Java enables you to use SSL, or user authentication with certificates, when users access the AS Java applications with or without an intermediary gateway proxy server.
For more
information, see
Using SSL With an
Intermediary Server.
Prerequisites
● Users possess valid X.509 client certificates issued by a trusted CA.
● The user’s client certificates are imported into their client system’s Web browsers.
●
The AS Java is
configured to support HTTPS connections and SSL. For more information, see
Configuring the
Use of SSL on the AS Java.
Features
The AS Java enables you to authenticate users with client certificates using the following configuration scenarios:
● You can store client certificates for users from the Identity Management functions of the AS Java and authenticate access based on the user-certificate mapping in the UME data source of the AS Java.
● Alternatively, you can configure rules for login with client certificates and authenticate user access directly from the certificate information. For this scenario, you do not need to store the certificate information for users.
The integrity and confidentiality of the authentication credentials is provided using the SSL protocol and PKI technology. In addition, users can produce digital signatures using the client certificates to establish higher levels of trust and non-repudiation for business transactions.
Once users receive their client certificates from the CA, they can use them to access applications and passwords are no longer used for authentication purposes. In addition, users can use their certificates for secure access to other Intranet or Internet services.
Activities
For more information about the configuration activities to use X.509 client certificates for AS Java authentication, see the following sections:
● Configuring the Use of Client Certificates for Authentication
Information about configuring client certificate authentication in scenarios where users access the AS Java directly or via an intermediary proxy server that tunnels the connection without terminating it.
· Modifying Client Certificate Authentication Options
Information about the login options to enable rule-based certificate authentication.
● Using Client Certificates via an Intermediary Server
Information about scenarios where users access the AS Java via an intermediary server that terminates the connection.
● Enabling Certificate Revocation
Information about how to use certificate revocation lists (CRLs) on the AS Java to make sure that a given certificate has not been revoked by the issuing Certification Authority (CA).