Client Authentication with User Certificates

Posted by eichelgartenweg on 12:18 PM with No comments
If you are creating your own self signed user certificates (with you own CA) you can easily edit the httpd.conf of your IBM HTTP Server to use these certificates for a restriced access.
After adding a prober CA root cert (see this post)

open the httpd.conf and edit (one) your virtual host(s)

<VirtualHost <ip-adress>:< port>
ServerName <server name>
SSLEnable
SSLClientAuth 2
SSLServerCert <ssl server cert>
<Directory "/" >
Options Indexes MultiViews
Order allow,deny
Allow from all
SSLClientAuthRequire <your ca root dn>
</Directory>

RequestHeader set HTTPS %{HTTPS}e
RequestHeader set SSL_CIPHER %{SSL_CIPHER}e
RequestHeader set SSL_CLIENT_CN %{SSL_CLIENT_CN}e
RequestHeader set SSL_CLIENT_DN %{SSL_CLIENT_DN}e

DocumentRoot /usr/IBM/HTTPServer/www-doc-root2/
</VirtualHost>

Add SSLClientAuth 2 for a required client authentification.
Add SSLClientAuthRequire <your ca root dn> to a directory (/ for all directories).
Example: SSLClientAuthRequire o="ibm.com"