I recently learned something about SSL junctions and ‘mutual authentication’ so I thought that it would be worth writing about it.
1. Starting with the basics, in order to set up any SSL junction, the certificate of the Certification Authority that has signed the server certificate for the back-end web server needs to be loaded into the WebSEAL certificate key database (‘pdsrv’ by default). The easiest way to do this is usually by doing the following: on the ISAM LMI click Manage System Settings -> Secure Settings: SSL Certificates; the SSL Certificates page will be displayed. Select ‘pdsrv’; click Manage -> Edit SSL Certificate Database; ensure that the ‘Signer Certificates’ tab is selected; click Manage -> Load; specify the server details and an arbitrary label; click Load, and WebSEAL will load the CA signer certificate into the ‘pdsrv’ SSL certificate database. Deploy the change and restart WebSEAL.
This doesn’t always work – if when you try and create a junction you get this message:
System Warning DPWWA1222E A third-party server is not responding. Possible causes: the server is down, there is a hung application on the server, or network problems. This is not a problem with the WebSEAL server. DPWIV1216E The junctioned server presented an invalid certificate. DPWWM1432W NOTE: Ensure the CA root certificate used to sign the junctioned server certificate is installed in the WebSEAL certificate key database. Created junction at <junction name>
then do the following: using a browser, find the security details about the server certificate and its certification path (usually by clicking the padlock symbol in the browser). Find the root certificate in the certification path and copy it to a file as either ‘DER encoded binary X.509 (.CER)’ or ‘Base-64 encoded X.509 (.CER)’. Then on the ISAM LMI click Manage System Settings -> Secure Settings: SSL Certificates; the SSL Certificates page will be displayed. Select ‘pdsrv’; click Manage -> Edit SSL Certificate Database; ensure that the ‘Signer Certificates’ tab is selected; click Manage -> Import, then specify the file containing the exported certificate and an arbitrary label. Deploy the change and restart WebSEAL.
2. If you want to send a client certificate from WebSEAL to the back-end web server (referred to as ‘mutual authentication’), it is necessary to specify -K “<key-label>” when creating the junction, where ‘<key-label>’ specifies the key-label of the required personal certificate in the ‘pdsrv’ SSL certificate database.
3. If you specify -K “<key-label>” but do not specify -D “<DN>”, then this is a valid configuration but the WebSEAL logs will contain lots of entries similar to the following:
DPWIV1212W No server DN is defined for '<junctioned server>'. The junctioned server DN verification is not performed.
There are two options as to what to do about this:
(a) These messages can be suppressed by setting the following in the WebSEAL configuration file:
enable-duplicate-ssl-dn-not-found-msgs = no
(b) Alternatively the cause of the errors can be removed by using the -D “<DN>” switch to specify the DN expected to be received from the junctioned web server. The latter option enhances the security associated with the SSL mutual authentication. It’s amazingly easy to determine what the -D “<DN>” switch should be set to – simply specify a random value (e.g. –D “abc”) when creating/updating the junction, and the response will be similar to the following:
DPWWA1222E A third-party server is not responding. Possible causes: the server is down, there is a hung application on the server, or network problems. This is not a problem with the WebSEAL server. DPWIV1218E Error in junctioned server DN verification. DPWWM1472I The specified DN for the junctioned server certificate is incorrect. The recorded DN should be "CN=xxx,O=yyy,C=zz"
Then the DN specified in the error message can thus be used to update the junction definition.
I hope that this is of use to someone – Vaughan
Leave a Reply