Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Client authetication: IIS and WebSphere

88 views
Skip to first unread message

Oliver Schoenhaar

unread,
Nov 29, 2006, 9:55:11 AM11/29/06
to
We have WAS 6.1 and IIS 6.0. The IIS is configured for client authentication. Is there a way that the client certificate is send to WebSphere, so that it can be compared to the keys in the WebSphere truststore.
Normally (If I'm correct) a client certificate is presented to IIS and if it's authenticated successfully the IIS certificate is sent to WebSphere by the IIS plugin. But not the original client plugin.

Paul Ilechko

unread,
Nov 29, 2006, 11:10:28 AM11/29/06
to

No, the client cert from the browser is not sent to WAS, the plugin
extracts the DN from the cert and passes that as an HTTP header. It
really wouldn't make any sense to have end user certificates in the WAS
truststore anyway. It would be a huge maintenance issue and extremely
inflexible. SSL mutual authentication happens from IIS to WAS, and the
only signer cert that WAS needs in its truststore is the one for IIS.

Tom Sanders

unread,
Nov 30, 2006, 4:02:31 AM11/30/06
to
Deselect the "integrated Windows authentication" option in the IIS website
properties - directory security - anonymous access and authentication
control.

Oliver Schoenhaar <oliver.s...@de.bosch.com> wrote in
news:781279901.1164812142...@ltsgwas010.sby.ibm.com:

cg...@paeria.es

unread,
Apr 15, 2007, 8:32:34 AM4/15/07
to
But,if I am using OCSP to validate client certificates from inside WAS,I can´t use this way when using plugin.I thought that plugin pass client certificates using reserved headers ($WSCC).

Paul Ilechko

unread,
Apr 15, 2007, 8:45:37 AM4/15/07
to

It doesn't pass the actual certificate. By the time you get to WAS
you're not validating the client certificate (i.e you're not comparing
signers with trust stores), all you're doing is validating that the user
identified by the DN is in your registry. That's a totally different
operation and has nothing to do with PKI.

WAS 6.1 supports OCSP, but not for client certs passed via the plugin;
it supports it for certs validated by the WAS trust manager. So for
example if you have an SSL connection from your web server to your app
server, WAS can do CRL checking on the web server's client cert (which
has nothing to do with the client certs of any browsers that access WAS
via the webserver)

0 new messages