Enable Client certificate authentication with IBM HTTP Server and WebSphere

Posted by eichelgartenweg on 3:08 PM with 5 comments
If you want to provide client cert autentication for web apps deployed in WebSphere Application Server 6.1 you first need to edit the web.xml of the application.
You need to add a security-constraint:
<security-constraint id="SecurityConstraint_Test01">
<web-resource-collection id="WebResourceCollection_TestOZ01">
<web-resource-name>Test</web-resource-name>
<description/>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>PUT</http-method>
<http-method>HEAD</http-method>
<http-method>POST</http-method>
<http-method>DELETE</http-method>
<http-method>OPTIONS</http-method>
</web-resource-collection>
<auth-constraint id="AuthConstraint_CognosOZ02">
<description/>
<role-name>Tester</role-name>
</auth-constraint>
</security-constraint>
<login-config id="LoginConfig_1">
<auth-method>CLIENT-CERT</auth-method>
<realm-name>Testrealm</realm-name>
</login-config>
<security-role id="SecurityRole_MIS01">
<description/>
<role-name>Tester</role-name>
</security-role>

After that you need to create a new virtual host in your ibm http server config.
To do that edit the httpd.conf
<VirtualHost <ip-adresse>:443>
ServerName www.yourvh.host.com
SSLEnable
SSLClientAuth 2
SSLServerCert <name of cert in key-db>
<Directory "/">
Options Indexes MultiViews
Order allow,deny
Allow from all
SSLClientAuthRequire o="<needed dn>"
</Directory>

RequestHeader set HTTPS %{HTTPS}e
RequestHeader set SSL_CIPHER %{SSL_CIPHER}e
RequestHeader set SSL_CLIENT_CN %{SSL_CLIENT_CN}e
RequestHeader set SSL_CLIENT_DN %{SSL_CLIENT_DN}e

DocumentRoot /usr/IBM/HTTPServer/www-doc-root2/
</VirtualHost>

Then you need to add the root-cert of the certificate you want to use for authentification to the key-database of your ibm http server.
1. Open the IBM Key Management utility ((i)keyman) and add the root-cert (e.g. o=host.com). Use the same name like in the httpd.conf (<name of cert in key-db>)
2. Save the changes to the key-database
3. Restart your IBM HTTP Server

After that edit the virtual host settings in WebSphere. In the administrative console go to Enviroment > Virtual Hosts and add the new Virtual Host (e.g.: Certificate Host) with its Host aliases.

The plugin-cfg.xml of your IBM HTTP Server should now be automatically updated with a new Virtual Host entry.

<VirtualHostGroup Name="Certificate Host">
<VirtualHost Name="<host-alias1>:*" />
<VirtualHost Name="<host-alias1>:*" />
</VirtualHostGroup>