Requiring Client Authentication (Sun Java System Web Server 6.1 SP12 Administrator's Guide)

Sun Java System Web Server 6.1 SP12 Administrator's Guide

Requiring Client Authentication

You can enable the listen sockets for your Administration Server and each server instance to require client authentication. When client authentication is enabled, the client’s certificate is required before the server sends a response to a query.

The Sun Java System Web Server supports authenticating client certificates by matching the CA in the client certificate with a CA trusted for signing client certificates. You can view a list of CAs trusted for signing client certificates the Manage Certificates page under Security in the Administration Server. There are four types of CAs:

Untrusted CA (not matched)
Trusted Server CA (not matched)
Trusted Client CA (matched)
Trusted Client/Server CA (will be matched)

You can configure the web server to refuse any client that does not have a client certificate from a trusted CA. To accept or reject trusted CAs, you must have set client trust for the CA. For more information, see Managing Certificates.

The Sun Java System Web Server logs an error, rejects the certificate, and returns a message to the client if the certificate has expired. You can view a list of certificates that have expired in the Administration Servers Manage Certificates page.

You can configure your server to collect information from the client certificate and match it with a user entry in an LDAP directory. This ensures that the client has a valid certificate and an entry in the LDAP directory, and also ensure that the client certificate matches the one in the LDAP directory. To learn how to do this, see Mapping Client Certificates to LDAP.

You can combine client certificates with access control. In addition to being from a trusted CA, the user associated with the certificate must match the access control rules (ACLs). For more information, see Using Access Control Files.

You can also process information from client certificates. For more information, see the Sun Java System Web Server 6.1 SP12 NSAPI Programmer’s Guide.

To Require Client Authentication

To require client authentication, perform the following steps:

To require client authentication

Access either the Administration Server or the Server Manager and choose the Preferences tab.

From the Server Manager you must first select the server instance from the drop-down list.

Click the Edit Listen Sockets link.

The Edit Listen Sockets page appears.

Click the Listen Socket Id link corresponding to the listen socket you are requiring client authentication for.

The Edit Listen Socket page appears.

To require client authenticate for the listen socket, select Required from the Client Authentication drop-down list.

Click OK.

From the Server Manager, click Apply, and then Restart for changes to take effect.

Note –
Currently, there is a single certificate trust database per web server instance. All the secure virtual servers running under that server instance share the same list of trusted client CAs. If two virtual servers require different trusted CAs, then these virtual servers should be run in different server instances with separate trust databases.