8.6 Setting Up Mutual SSL Authentication

Mutual authentication is used when a user is issued a certificate from a trusted source. The certificate identifies the user in some way. To ensure the validity of X.509 certificates, Access Manager supports both Certificate Revocation Lists (CRLs) and Online Certificate Status Protocol (OCSP) methods of verification.

SSL provides:

Mutual SSL provides the same things as SSL, with the addition of authentication and nonrepudiation of the client, using digital signatures.

  1. Set up Access Manager certificates for security, and import them into the Access Manager system. (See Section 24.1, Creating Certificates.)

  2. Create an X.509 authentication class. (Section 8.2.3, Creating an X.509 Authentication Class.)

  3. Create an authentication method using this class. (Section 8.3, Configuring Authentication Methods.)

  4. Create an authentication contract using the X.509 method. (Section 8.4, Configuring Authentication Contracts.)

  5. Update any associated Access Gateways to read the new authentication contract. (Section 13.4, Configuring Protected Resources.)

  6. Update the Identity Server cluster configuration. (See Section 3.2.1, Updating an Identity Server Configuration.)