!--a11y-->
Configuring the Use of Client Certificates for
Authentication 
Use this procedure to configure the use of client certificates for authentication when users access the J2EE Engine using an end-to-end connection.
For cases where they access the server via an intermediary proxy server that terminates the connection, see Configuring the Use of Client Certificates via an Intermediary Server.

Client certificates enable you to authenticate J2EE Engine users without the need for a user name and a password provided from a logon screen. Therefore, you can also use client certificates for integrating the J2EE Engine in Single Sign-On environments.
When using client certificates for user authentication, the J2EE Engine uses the certificate information to determine the user’s identity. The algorithm for determining the user ID can be configured by specifying rules. Each of these rules can be restricted to apply only for certain certificates and each rule specifies the mechanism, how the mapping between the certificates matching this restriction and the user ID should be done. You can configure the use of the following mechanisms to establish the user ID associated with a client certificate during the logon process:
· The J2EE Engine can match the provided certificate to a client certificate stored for the J2EE Engine user ID in the user data store.
· The J2EE Engine can determine the user ID directly from the fields in the client certificate.
● The J2EE Engine is configured to support SSL.
● The public-key certificates belonging to the users exist as files in the file system with either the extension .crt (DER encoded or Base-64 encoded) or .cert (Base 64 encoded).
● The issuing CA’s root certificate either exists in the TrustedCAs view in the Key Storage service or it is available in the file system as a DER-encoded or Base-64-encoded certificate.
...
1. Using the Key Storage service, make sure the CA’s root certificate exists as a CERTIFICATE entry in the TrustedCAs view. If it is not already there, then import it into this view.
For more information, see
Managing
Entries.
2. Using the SSL Provider service:
a. Select whether the J2EE Engine should:
■ Request (but not require) that the user presents a client certificate for authentication.
■ Require that client certificates are to be used for authentication.
b. Import the CA’s root certificate into the Trusted Certification Authorities list. (Choose Add.)
See also
Managing the
Credentials and Trusted Certificates to Use SSL.
3. Configure ClientCertLoginModule for establishing the J2EE Engine user ID from the client certificate and filtering the provided certificates. For more information, see Modifying Client Certificate Authentication Options.
4. Adjust the login module stacks and configure the login modules for those applications that accept client certificates as the authentication mechanism.
● The selected applications accept client certificates for user authentication.
See also:
Managing Policy Configurations