Enabling Client Authentication
You can use SSL as a method for authenticating client connections if clients have digital IDs. Currently Sun WebServer supports personal digital IDs from VeriSign. VeriSign offers three levels of personal digital ID, based on the strength of the key and the insurance protection:
-
Class1
-
Class2
-
Class3
You can configure an SSL web site to require client authentication and define which level(s) of personal IDs to accept.
To require client authentication for SSL
-
Log in to Sun WebServer and go to the IP/Ports list for the server where the SSL-enabled web site is hosted.
-
Select the SSL-enabled connection used by this web site, and click Edit.
The Edit IP/Ports dialog appears.
-
In the dialog, click the Require Client Certificate check box, and click OK.
-
Choose Save from the Web Server menu to save the configuration.
-
Return to the command line and become superuser.
-
Run sslclauth multiple times to enable or disable multiple signers. The enabled CAs are added to the web site's trusted key list.
The syntax for the command is:
sslclauth -e | -d -i IP_Address Signer
- -d
-
Disables access to clients with certificates signed by the Signer.
- -e
-
Enables access to clients with certificates signed by the Signer.
- -i IP_Address
-
Specifies the IP Address of the SSL-enabled host.
- -i Signer
-
Specifies the signer who has signed the personal digital certificate of the client. Sun WebServer only supports VeriSign personal digital IDs. VeriSign has three classes: Class1, Class2, or Class3. These vary based upon the strength of the key and the insurance protection.
Note -The SSL script setup_client_auth has been renamed to sslclauth.
- © 2010, Oracle Corporation and/or its affiliates