0

I am trying to configure my liberty server for client certificate authentication by these steps: http://www.ibm.com/support/knowledgecenter/SS7K4U_liberty/com.ibm.websphere.wlp.zseries.doc/ae/twlp_sec_clientcert.html

My liberty configuration:

<server description="new server">
    <!-- Enable features -->
    <featureManager>
        <feature>webProfile-7.0</feature>           
        <feature>restConnector-1.0</feature>
        <feature>localConnector-1.0</feature>
        <feature>monitor-1.0</feature>
        <feature>jsp-2.3</feature>
        <feature>adminCenter-1.0</feature>
        <feature>ssl-1.0</feature>
    </featureManager>

    <!-- To access this server from a remote client add a host attribute to the following element, e.g. host="*" -->
    <httpEndpoint id="defaultHttpEndpoint"
                  httpPort="9081"
                  httpsPort="9444" />                          

    <application id="Sample" name="Sample" type="war" location="Sample.war"/>
    <keyStore id="defaultKeyStore" location="key.jks" type="JKS" password="{xor}EzY9Oi0rJg==" />
   <keyStore id="defaultTrustStore" location="truststore.jks" type="JKS" password="{xor}EzY9Oi0rJg==" />
    <ssl id="defaultSSLConfig" keyStoreRef="defaultKeyStore" trustStoreRef="defaultTrustStore" clientAuthenticationSupported="true"/>
    <webAppSecurity allowFailOverToBasicAuth="true" />

    <auth-method>CLIENT-CERT</auth-method>
     <basicRegistry id="basic">     
        <user identity="CN=Admin,O=myOrg,C=country" name="Admin" password="admin" />-->         
    </basicRegistry> 

    <administrator-role>
        <user>Admin</user>      
    </administrator-role>

</server>

From java client I get: CWWKX0229E: There was a problem with the user credentials provided. The server responded with code 401 and message 'Unauthorized'

I think my user mapping is wrong. Can somebody give me an example how to map client certificate with the liberty user?

VytautasN
  • 21
  • 3

1 Answers1

1

Is the intent to login to web application using the certificate rather than user/password? You need to define the CLIENT-CERT in web.xml. You will have to install the certificate on your browser from where application will be accesses. Also, Liberty server will need to have the signer certificate in the trust store. You may also define certificate filter if the certificate DN name does match exactly to registry user.

Below command can be added to server.xml so that basic authentication can be use if client certificate authentication did not succeed.

You may also want to confirm that your application does work with basic authentication.

More details at: http://www.ibm.com/support/knowledgecenter/SSEQTP_8.5.5/com.ibm.websphere.wlp.doc/ae/twlp_sec_clientcert.html

M. Tamboli
  • 386
  • 1
  • 6
  • I have requirement from costumer to use certification. And yes it works with basic authentication. It is possible to have administrator role using client certificate authentication? – VytautasN Jan 11 '17 at 15:49
  • If you are using your own web app for client-cert login, you will not need administrtaor-role but the role your application defined. If you are trying to use certificate login with admin center, I doubt it will work. – M. Tamboli Jan 11 '17 at 17:39
  • However, you may want client authentication/mutual SSL by setting clientAuthentication="true", in this case the server requests that a client sends a certificate. However, if the client does not have a certificate, or the certificate is not trusted by the server, the handshake does not succeed. In this case, you still need to login with user/password though. – M. Tamboli Jan 11 '17 at 17:46