Abstract
This Tip shows you how you configure self-signed certificates with IBM GSKit for mutual client and server authentication. The use of self-signed certificates for authentication is used in the sample scenarios in the IBM Redbook "DCE Replacement Strategies", SG24-6935.
Contents
Using self-signed certificates with IBM GSKit
Using self-signed certificates simplifies the administration process by not involving a separate Certificate Authority (CA). Self-signed certificates can be used as regular certificates for authentication purposes (for people and systems), and, at the same time, they can be used as root certificates.
The following people perform the following tasks:
The administrator
- Creates a self-signed certificate with IBM GSKit for the client.
- Creates a self-signed certificate with IBM GSKit for the server.
- Imports the client’s self-signed certificate (as a root certificate) into the list of trusted CAs on the server’s GSKit.
- Imports the server’s self-signed certificate (as a root certificate) into the list of trusted CAs on the client’s GSKit.
The application administrator:
- Configures the application to use the specific certificate file(s) created by the administrator.
- Specifies which certificate from within the certificate file to use. (There can be multiple certificates in a certificate file.)
- (Optionally) Specifies certain encryption algorithms (cipher specs) for the SSL encryption.
The application programmer:
- Initializes and uses SSL for session initiation. (The details may vary, largely depending on the application.)
- After SSL session initiation on the receiving partner has occurred, extracts the required information from the partner’s certificate. This is most likely the subject DN that will be extracted.
- If required, looks up further information, such as group membership or authorization data of the subject, by calling additional services not provided by SSL and/or GSKit.
Note: This example shows mutual authentication. When only server authentication is required, then only one self-signed certificate has to be created for the server and imported into the client’s GSKit.
As an alternative to self-signed certificates, some products, such as IBM WebSphere, ship with ready-to-use certificates that allow for a quick start of the product(s). These certificates are shipped in keyfiles, so the administrator does not have to import or otherwise deal with them. For a production environment, however, certificates from a CA are recommended.
Special Notices
This material has not been submitted to any formal IBM test and is published AS IS. It has not been the subject of rigorous review. IBM assumes no responsibility for its accuracy or completeness. The use of this information or the implementation of any of these techniques is a client responsibility and depends upon the client's ability to evaluate and integrate them into the client's operational environment.