在 Websphere Liberty 中设置 2 路 ssl 身份验证并验证它

Question

I am using https://github.com/TooTallNate/Java-WebSocket for my socket communication in my web server application.

I want to set up mutual authentication in my service. I have set the keystore and truststore in my server and client application. What I am not able to figure out is, do I need to change code to perform 2 way authentication? Right now I am able to confirm that the communication is happening over a secure channel. Is there anyway to verify that 2 way SSL authentication (mutual authentication) is happening? I am running my service on Websphere Liberty

Source for ssl communication in Java websockets: https://github.com/TooTallNate/Java-WebSocket/blob/Java-WebSocket-1.3.0/src/main/java/org/java_websocket/SSLSocketChannel2.java

I see that in Liberty I can request for a client side certificate https://www.ibm.com/support/knowledgecenter/SSEQTP_8.5.5/com.ibm.websphere.wlp.doc/ae/twlp_sec_clientcert.html However why is it that I need to add the certificate in my browser? Shouldn't I be adding the client side certificate in my server's trust-store?

Answer 1

To enable client authentication or mutual authentication, you will need to enable clientAuthentication="true" as given in sample below on Liberty.

           <ssl id="myDefaultSSLConfig"
           keyStoreRef="defaultKeyStore"
           trustStoreRef="defaultTrustStore"
           clientAuthentication="true"
           sslProtocol="TLS" />

As mentioned on the above link, browser needs to either add or accept the server certificate and also the server needs to have signer certificate of the client. Both client and server needs to have trust established for mutual communication to work.

From above link: https://www.ibm.com/support/knowledgecenter/SSEQTP_8.5.5/com.ibm.websphere.wlp.doc/ae/twlp_sec_clientcert.html

4. Add a client certificate to your browser. See the documentation of your browser for adding client certificates.
5. Make sure the server trusts any client certificates that are used.