Configuring TLS Mutual Authentication for SHA-2 Certificates Using EAI HTTP Transport

Mutual authentication is a process in which a connection between two parties is established only after each party has authenticated the other. In TLS mutual authentication, the client is authenticated to the server and the server is authenticated to the client during the TLS handshake.

Siebel supports server authentication. Client authentication is supported for TLS-based communications using the EAI HTTP Transport business service, and for workflows or outbound Web service calls that call the EAI HTTP Transport business service. In previous releases, client authentication was supported on SHA-1 only but now it is supported on SHA-2 (that is, TLS v1.2).

If you choose to enable client authentication, then the Siebel Server presents a client certificate to an external Web server by supplying values for the HTTPCertSerialNo and HTTPCertAuthority EAI HTTP Transport parameters. The following procedure describes how to configure client authentication using the EAI HTTP Transport business service.

This task is a step in "Process of Configuring Secure Communications".

To configure client authentication with SHA-2 certificates using EAI HTTP Transport

Obtain the following files, according to the operating system you are using, and install them on Siebel Server:
- For Microsoft Windows operating systems:
  - A certificate authority file.
  - A client certificate file that is in PKCS#12 format.
- For non-windows operating systems:
  - Import the client certificate into the keystore JKS file.
  - Import the CA certificate in to the truststore JKS file.
    
    For information on how to import certificates into JKS files, see Siebel Installation Guide for the operating system you are using.
  - Make sure that the CONTAINERURL parameter for the OUTBOUNDSHA2 named subsystem has the correct HTTP port number of the application container running on Siebel Server, using the command:
```
list parameter for the named subsystem OUTBOUNDSHA2
```
    For example:
```
CONTAINERURL value http://localhost:9001/siebel/outboundeai
```
  - Assign the subsystem name to the EAIOutboundSubSys parameter of the component used, using the following command for example:
```
change param EAIOutboundSubSys=OUTBOUNDSHA2 for comp eaiObjMgr_enu
```
  - Restart Siebel Server before testing SHA-2 using EAI HTTP Transport.
For information on installing certificate files, see "Installing Certificate Files".
Configure the Web server for client authentication.

For information on configuring client authentication on the Web server, refer to your Web server vendor documentation.
Provide client authentication information by specifying values for the following EAI HTTP Transport parameters:
- HTTPCertSerialNo. Specify the client certificate serial number. This is a hexadecimal string which cannot contain spaces.
- HTTPCertAuthority. Specify the name of the authority that issued the client certificate. The issuing authority name must be in FQDN format and is case sensitive.
The certificate authority and serial number details are displayed on the certificate, which you can view using your browser (Windows) or the mwcontrol utility (UNIX).

The EAI HTTP Transport business service can be called directly or indirectly.
- If the EAI HTTP Transport business service is invoked directly by an eScript script or workflow, then you can specify the HTTPCertSerialNo and HTTPCertAuthority parameters using the Set Property method of the business service call. For additional information, see Transports and Interfaces: Siebel Enterprise Application Integration.
- If the EAI HTTP Transport business service is invoked indirectly by an outbound Web service, then you can specify the HTTPCertSerialNo and HTTPCertAuthority parameters as input arguments for the outbound Web Service Dispatcher. For additional information, see Integration Platform Technologies: Siebel Enterprise Application Integration.