Configuring runtime security services for client certificate authentication

Configure runtime security services for client certificate authentication used for authentication between WebSEAL and the Security Access Manager for Mobile appliance interface.

About this task

The provided steps are specific to Security Web Gateway Appliance version 7.0, but can be applied on the IBM Security Access Manager version 7.0 software product (WebSEAL).

Procedure

  1. Create a client certificate for user easusercert.
    1. In the local management interface, go to Security Reverse Proxy Settings > Global Keys > SSL Certificates.
    2. Select the pdsrv certificate database.
    3. Click Manage > Edit SSL Certificate Database.
    4. Click Personal Certificates.
    5. Click New to create a new personal certificate.
    6. Provide the following information:
      • Certificate Label: easusercert
      • Certificate Distinguished Name: cn=easuser
      • Key Size: 2048
      • Expiration Time (in days): 365
    7. Click Save.
  2. Deploy pending changes. See Deploying pending changes.
  3. Restart your reverse proxy instances.
  4. Export the client certificate.
    1. Select the pdsrv certificate database.
    2. Click Manage > Edit SSL Certificate Database.
    3. Click Personal Certificates.
    4. Select the easusercert certificate you created.
    5. Click Manage > Export.
    6. Save the file.
  5. Import the exported personal certificate as a signer certificate on the appliance. The signer of the client certificate needs to be trusted. The certificate is self-signed. Importing the easusercert as a signer certificate into the appliances allows that trust.
    1. Click Manage System Settings > Secure Settings > SSL Certificates.
    2. Select the rt_profiles_keys certificate database.
    3. Click Manage > Edit SSL Certificate Database.
    4. Click Signer Certificates.
    5. Click Manage > Import.
    6. Click Browse.
    7. Browse to the directory that contains the file to be imported and select the file. Click Open.
    8. Click Import. A message that indicates successful import is displayed.
  6. Deploy pending changes. See Deploying pending changes.
  7. Configure the appliance for client certificate authentication.
    1. In the local management interface, go to Secure Mobile Settings > Runtime Parameters > Runtime Tuning Parameters.
    2. Select Accept Client Certificates.
    3. Click Edit and set the value as True.
  8. Restart the runtime.

What to do next

Run the isamcfg tool and select Certificate authentication as the method of authentication between WebSEAL and the Security Access Manager for Mobile appliance interface. For more information, see isamcfg Security Access Manager appliance configuration worksheet.
Parent topic: Client certificate authentication considerations