Airlock IAM can authenticate users by verifying X.509 client certificates.
A client certificate can be used in the SSL handshake by the browser to authenticate the user already while connecting to the server.
Client certificates can come in different forms:
- ●from a smart card (used with a smart card reader)
- ●from a USB or another device
- ●as a software certificate installed in the browser (less secure)
Involved systems
- ●Browser: has access to client certificate and uses it in SSL handshake
- ●Airlock Gateway (WAF): asks for client certificate in SSL handshakes
- ●Verifies that client certificate issuer is trusted
- ●Verifies signature on client certificate
- ●Verifies validity period of client certificate
- ●Airlock IAM: receives client certificate information from Airlock Gateway (WAF)
- ●Verifies validity of client certificate with external CRL or OCSP server
- ●Maps client certificate to a user or extracts user information from certificate
- ●Takes into account the user account status (e.g. locked), the user's roles, and other information.
Further information and links
- ●Configuration in the JSP-Loginapp: 17.4.1.9. Client certificate authentication in the JSP-Loginapp