Client authentication: IBM HTTP Server
System Administration IBM HTTP Server documentation

Client Authentication


The server supports three levels of client authentication and two types of access control, based on client certificate information.

Levels of client authentication

The level is set with the SSLClientAuth directive:


There is a second argument, "crl", you can add to use Certificate Revocation List: For example,
SSLClientAuth 1 crl

Choosing the "Required" level

If you choose the Required level of client authentication, the secure server requests a certificate, from all clients making an HTTPS request. The server validates clients by checking for a trusted CA root certificates in the local key database. A trusted CA root certificate is a certificate signed by a certificate authority, who is designated as a trusted CA on your server.

The server establishes a secure connection if the client has a valid certificate. The server denies the request if the client has an expired certificate, or if the certificate is signed by a certificate authority (CA) that is not designated as a trusted CA on the server.

Keep in mind that SSL client authentication increases network traffic.

Choosing the "Optional" level

If you choose the Optional level, the server requests a client certificate. If the client does not provide a certificate, a secure connection is still established. The server denies the request if the client has provided an expired certificate, or if the certificate is signed by a certificate authority (CA) that is not designated as a trusted CA on the server.

Keep in mind that SSL client authentication increases network traffic.

Choosing "None"

If you choose None, the secure server does not request certificates from clients.

Access Control Types

The access control type is set with the SSLFakeBasicAuth or SSLClientAuthRequire directives.

Note: SSLClientAuthRequire is the preferred type of client authentication.

SSLFakeBasicAuth directive

The use of SSLFakeBasicAuth is not recommended. Password files generated for use with Apache SSL code, or mod_ssl and Apache, do not work with IBM HTTP Server because the format of the distinguished name is different.

SSLFakeBasicAuth type is a very simplistic method for performing client authentication. If you specify SSLFakeBasicAuth, the client certificate distinguished name and the password ("password") are Base64-encoded and placed in the authorization header. Put the mod_ibm_ssl module first in the module list, so that subsequent authentication modules have the fake basic authentication user ID and password available. Be aware that basic authentication support within a specified virtual host will not work because the user ID and password supplied by a user are overwritten by the client distinguished name and the password (which is "password").

To display the distinguished name from a client certificate, create a CGI program to print out the SSL_CLIENT_DN environment variable.

SSLClientAuthGroup directive

This directive allows the user to specify a logic string of specific client certificate attributes and group them together as a single unit. This ability enables a certain set of client certificate attributes access to multiple objects on that server.

The syntax is SSLCLientAuthGroup (name) (expression)

Use parentheses to group comparisons. If the value of the attribute contains a non-alphanumeric character, delimit the value with quotes.

Valid attributes are:

     CommonName 
     Country 
     Email 
     Group
     IssuerCommonName 
     IssuerCountry
     IssuerEmail 
     IssuerLocality 
     IssuerOrg 
     IssuerOrgUnit 
     IssuerStateOrProvince 
     Locality 
     Org 
     OrgUnit 
     StateOrProvince 

These short names are also valid:

     CN, C, E, G, ICN, IC, IE, IL, IO, IOU, IST, L, O, OU, ST 

SSLClientAuthRequire directive

The more extensive SSLClientAuthRequire support allows the webmaster to define logical expressions containing the x509 attributes. These logical expressions are compared with the client certificate information to either grant or deny access to an object. Before processing can occur, however, GSK first validates the client certificate to ensure that it has been signed by a trusted certificate authority.

The SSLClientAuthRequire directive allows a webmaster to build a logical expression consisting of attribute checks linked with AND, OR, and NOTs. Parentheses are also allowed. For example:

SSLClientAuthRequire (CommonName = "Fred Smith" OR CommonName = "John Deere") AND Org = IBM
means that the object is not served unless the client certificate contains a common name of either Fred Smith or John Deere and the organization must be IBM.

For the attribute checks, the only valid comparisons are equal and not equal (= and !=). Each attribute check can be linked with AND, OR, or NOT (also &&, ||, and !). When multiple SSLClientAuthRequire directives are specified for one resource, the effect on the resource is as if the values are joined by Boolean AND operators.

Use parentheses to group comparisons. If the value of the attribute contains a non-alphanumeric character, delimit the value with quotes.

Valid attributes are:

     CommonName 
     Country 
     Email 
     IssuerCommonName 
     IssuerCountry
     IssuerEmail 
     IssuerLocality 
     IssuerOrg 
     IssuerOrgUnit 
     IssuerStateOrProvince 
     Locality 
     Org 
     OrgUnit 
     StateOrProvince 

These short names are also valid:

     CN, C, E, ICN, IC, IE, IL, IO, IOU, IST, L, O, OU, ST 

 
Related information...

     (Back to Top)