iTP Secure WebServer System Administrator's Guide (Version 7.0)
Configuring for Secure Transport
iTP Secure WebServer System Administrator’s Guide—523346-012
4-29
Managing Client Authentication
certificate file (a plain text file). Add this certificate to the designated key
database file using the keyadmin utility.
For details about adding certificates using keyadmin, see Adding a Certificate to
the Key Database File on page 4-11.
Managing Client Authentication
For SSL 3.0 the server always authenticates itself to its clients. However, you can
configure the server to request or require the Web client to authenticate itself to the
server.
The AcceptSecureTransport configuration directive accepts two options for specifying
how the server controls client authentication:
Client authentication does not occur unless you specify either the -requestauth or
-requireauth option. Specifying one of these options allows you to use the Web client’s
authentication information in Region configuration directives to restrict access to the
iTP Secure WebServer. Client authentication can be set by using the
RequireSecureTransport -auth command or by accessing specific Region variables
and restricting access based on these variables.
After the iTP Secure WebServer requests and receives the Web client certificate from
the Web client as either an individual certificate or as a certificate chain, it performs
these steps for client authentication:
1. Builds an internal certificate chain using what the Web client has returned (a
certificate for SSL 2.0 or PCT, or a certificate chain for SSL 3.0).
2. Attempts to back-build the internal certificate chain by retrieving issuer certificates
from the certificate database and adding them to the internal certificate chain. The
chain is built until the server either retrieves a certificate that is marked as root
from the database or it cannot find an issuer of a certificate on the chain in the
database.
3. Verifies each certificate in the chain, starting with the leaf, to check that the chain is
well-formatted, is in its validity period, follows the Basic Constraints and Key Usage
extensions rules, and has a valid signature that was issued by its successor in the
chain.
4. Stores the results of this verification in the various Tool Command
Language/Common Gateway Interface (Tcl/CGI) variables.
5. Appends the appropriate log messages to the Extended Log File (ELF) entry.
-requestauth The server requests that the Web client present a certificate,
and the Web client can choose to do so.
-requireauth The server requires that the Web client present its certificate
and terminates communication if the Web client declines.