Red Hat DocumentationFuse ESBToggle FramesPrintFeedback

Mutual Authentication

Overview

When an application is configured for mutual authentication, the target authenticates itself to the client and the client authenticates itself to the target. This scenario is illustrated in Figure 5 . In this case, the server and the client each require an X.509 certificate for the security handshake.

Figure 5. Mutual Authentication

both client and server authenticate with the other party

Security handshake

Prior to running the application, the client and server must be set up as follows:

During the TLS handshake, the server sends its certificate chain to the client, and the client sends its certificate chain to the server—see Figure 4 .

HTTPS example

On the client side, there are no policy settings required for mutual authentication. Simply associate an X.509 certificate with the client’s HTTPS port (see Specifying an Application’s Own Certificate). You also need to provide the client with a list of trusted CA certificates (see Specifying Trusted CA Certificates).

On the server side, in the server’s XML configuration file, make sure that the sec:clientAuthentication element is configured to require client authentication. For example:

<http:destination id="{Namespace}PortName.http-destination"> 
  <http:tlsServerParameters>
    ... 
    <sec:clientAuthentication want="true" required="true"/>
  </http:tlsServerParameters>
</http:destination>
      

Where the want attribute is set to true, specifying that the server requests an X.509 certificate from the client during a TLS handshake. The required attribute is also set to true, specifying that the absence of a client certificate triggers an exception during the TLS handshake.

It is also necessary to associate an X.509 certificate with the server’s HTTPS port (see Specifying an Application’s Own Certificate) and to provide the server with a list of trusted CA certificates (see Specifying Trusted CA Certificates).

Note

The choice of cipher suite can potentially affect whether or not mutual authentication is supported (see Configuring HTTPS Cipher Suites).

Comments powered by Disqus