-1

I'd like to turn on client authentication on WAS liberty profile so that the communication b/w the web server and the app server is in mutual SSL.

On IHS, I have a plugin file to FW the traffic to the app server in HTTPS with a keyring and stashfile. It is working and FW the traffic to the WLP.

On WLP's server.xml I turn on the client authentication to enforce the WLP to authenticate the certificate by giving clientAuthentication="true" in the <ssl> element. 

<ssl id="defaultSSLConfig" keyStoreRef="defaultKeyStore" trustStoreRef="defaultTrustStore" clientAuthentication="true" />

I try to validate this by directly hitting the app server using browser with https address (without any client certificate) and expected to get a access denied. And to access the app server via the app server should grant access if mutual SSL is up and running. However, both hitting the app server directly or via web server, I can access the resource.

This set up clearly isn't correct or not complete. Any thoughts?

Mr Lister
  • 45,515
  • 15
  • 108
  • 150
hls
  • 23
  • 5
  • Any chance you tested HTTP in your browser, or that you have some other ssl config defined for your endpoint so your default changes are not effective? – covener Feb 17 '16 at 16:27
  • Try to disable http endpoint by `httpPort="0"` to make sure you are accessing via SSL. – Gas Feb 17 '16 at 17:09
  • @covener - Thank you! no, https in the browser, no other config. This is a brand new server with minimal in there. Just to test the client authentication. – hls Feb 17 '16 at 19:05
  • @Gas Thank you! it is accessing via SSL. There's no httpPort specified in sever.xml – hls Feb 17 '16 at 19:06
  • The only documentation I can find online is http://www-01.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.wlp.nd.multiplatform.doc/ae/twlp_sec_clientcert.html Configuring your web application and server for client certificate authentication - I followed the "server" part and did not configure the web application part (like how I described in the question). I basically did the same for Websphere (using admin console) and it was working fine. Not liberty profile though. – hls Feb 17 '16 at 19:07

1 Answers1

0

I have it resolved. What I missed was the <sslOptionRef id="defaultSSLConfig" /> inside <httpEndpoint>. I was under impression that it would automatically pick up the olny one <ssl> element I defined in server.xml. But without the sslOptionRef, client authentication somehow doesn't work and does not authenticate the client.

Now with <sslOptionRef> defined in server.xml, the client authentication is working fine that I can only access the WLP app server via my web server in my browser in https.

hls
  • 23
  • 5