Show TOC

 Using Client Certificates via an Intermediary ServerLocate this document in the navigation structure

Use

If users connect to the AS Java via an intermediary server that terminates the connection, for example, a Web proxy, then the user's SSL client certificate cannot be directly used for authentication on the AS Java. In this case, the intermediary server passes the user's certificate to the AS Java in a header variable and the AS Java accepts this certificate based on its trust relationship to the intermediary server.

Note

Although you have the option to use HTTP for the connection between the intermediary server and the AS Java, we recommend also using HTTPS for this connection.

Prerequisites
  • To use HTTPS for the connection between the intermediary server and the AS Java the AS Java must be configured to support SSL.
  • To use SSL with mutual authentication between the intermediary server and the AS Java, the intermediary server possesses a public-key certificate to use for SSL.
  • The intermediary server is configured to pass the user's client certificate to the AS Java.
  • You know the name of the header variable that contains the user's certificate.
Procedure
  1. If you are using the Web dispatcher as the intermediary server, set the Web dispatcher profile parameter icm/HTTPS/forward_ccert_as_header = true .
  2. Set the following ICM profile parameters on the AS Java.

ICM Profile Parameters

Parameter Value Comment

icm/accept_forwarded_cert_via_http

<true , false>

Enter true if you want to accept HTTP without using SSL for the connection between the intermediary server and the AS Java. Default value is false .

icm/HTTPS/trust_client_with_subject

<Distinguished Name of subject to trust>

String containing the Distinguished Name for the trusted proxy server(s).

icm/HTTPS/trust_client_with_issuer 

<Distinguished Name of issuer to trust>

String containing the Distinguished Name of the certificate issuer for the trusted proxy server(s).

  1. Maintain the user's certificate information in his or her user account on the AS Java.
Result

The intermediary server passes the user's client certificate to the AS Java to use for authentication.