0

We have an application running in WAS 8.5 server. The application has two external Service invocations, hitting 2 different third-party systems, in which one Service (Service2/Server2) requires Client Authentication.

Please refer the diagram for reference.

Server2 <-- Client --> Server1 Handshake Diagram

For Server1, we have shared a Client Certificate with them and the handshaking is perfect.

For Server2, which doesn't required Client Aunthentication, fails during handshaking. What we could find out that, during handshaking the server tries to authenticate the Client (Assuming that Client Authentication is SUPPORTED at Server2, but not REQUIRED). Since the Client KeyStore has the Client Certificate, it's being used for handshaking process, which is failing because this client certificate is not present at the Server2 Truststore.

My question is, whether is it possible to not send the Client Certificate to the Server2 even if the Server supports Client Authentication.

Hope this question is understandable.

Note1: We don't have any control over Server1 or Server2 and we don't expect any changes from these third-party Services to make this work.

Note2: Service2 works perfectly without Client Certificate in the Client Keystore. Please refer the diagram for Serer2-Client SSL Handshaking, which is perfectly working. Client --> Server2 Handshake Diagram

Expecting help from someone who is proficient in Websphere SSL configurations.

Thank you, Sanooj

Sanooj
  • 29
  • 1
  • 4

1 Answers1

0

In short:

You have to create 2 separate dynamic outbound SSL configs (see here for details) assuming your 2 external services have different URLs. The one that needs CertAuth will have cert in the keystore, the other will not have (you need 2 different SSL Configs).

Gas
  • 17,601
  • 4
  • 46
  • 93
  • Yes, 2 external services use different URLs. Let me try out by creating 2 separate outbounds.. Thank you. – Sanooj Aug 22 '18 at 06:24