Enabling Client Authentication

You can use SSL as a method for authenticating client connections if clients have digital IDs. Currently Sun WebServer supports personal digital IDs from VeriSign. VeriSign offers three levels of personal digital ID, based on the strength of the key and the insurance protection:

• Class1

• Class2

• Class3

You can configure an SSL web site to require client authentication and define which level(s) of personal IDs to accept.

To require client authentication for SSL

1. Log in to the Sun WebServer Administration Console and go to the IP/Ports list for the server where the SSL-enabled web site is hosted.

2. Select the SSL-enabled connection used by this web site, and click Edit.

   The Edit Network Connections dialog opens.

3. In the dialog box, click on the "Require Client Certificate" box, then click OK.

4. Choose Selected->Save IP/Ports to save the configuration.

5. Return to the command line and become superuser.

6. The syntax for the command is:

   setup_client_auth -e | -d -i IP_Address Signer

   The -e flag enables, and the -d flag disables, access to clients with certificates signed by the Signer. The IP_Address is the IP address of the SSL enabled web site.

   Signer can be one of the VeriSign classes: Class1, Class2, or Class3.

   Run setup_client_auth multiple times to enable or disable multiple signers. The enabled CAs are added to the web site's trusted key list.