Introduction of SSL Authentication
Secure Sockets Layer (SSL) client certificate authentication schemes require end users to authenticate by supplying a client certificate, which is installed on their device or on a smart card. No login information, such as user name and password, is required for the authentication process. In technology terms, it refers to a client (web browser or client application) authenticating themselves to a server (website or server application) by presenting a certificate that contains information about the client. The certificate is validated by certificate authority (CA) that server trust.
The SSL client certificate authentication scheme performs the following steps to verify the end user’s identity:
- Verifies that the client certificate is valid, by checking if certificate is signed by certificate authority (CA).
- Maps the certificate to the user account in Active Directory Domain Services (AD DS) or any other LDAP server.
- Verifies that the certificate belongs to the user account.
It prevents access to the site/resource if the certificate is not valid.
Each registered user is assigned a DN name that client certificate contains. For each registered user, an entry in LDAP or Active directory is maintained with mapping between DN name and user account.
Introduction of WebSphere DataPower SOA Appliances
WebSphere DataPower SOA Appliances are purpose build hardware for hardened security, fast processing of XML data structure and performs ESB functions i.e. routing, format transformation and protocol mediation. It is one of the fastest ESB product among other IBM ESB family members that includes IBM WebSphere Message Broker and IBM WebSphere ESB. It comes in different prototypes to cater different industry needs. For example, XI52 used in enterprise network to cater ESB functions and XG45 used in DMZ to secure outside organization traffic channel. XB62 caters the needs of standards B2B application connectivity including cloud and mobile applications and simplify industry-specific implementation with industry pack support for standards such as retail (PCI, Sarbanes–Oxley), healthcare (HIPPA & HL7, X12), and supply chain management (EDIFACT).like EDIFACT
For more information refer IBM WebSphere DataPower product page
Using WebSphere DataPower as validation server for SSL authentication
WebSphere DataPower supports almost every security standard that IT industry use today, it includes SAML, OAuth, XACML, LTPA, Digital Certificate, SSL, Kerberos, WS-Security and many more. It is purpose build hardware which efficiently accepts the incoming authentication request, parse it and verify it against third party authentication systems.
SSL authentication scheme needs a validation server who can validate the incoming SSL certificate and then authorize it against LDAP or active directory server. WebSphere DataPower can cater that need for SSL authentication. DataPower receive the incoming request, extract the client certificate, validates it and verify the client certificate against the LDAP. If successful, the request will be forwarded to server else it will be rejected.
WebSphere DataPower can be used for SSL Authentication with just few configuration steps implemented in AAA framework. AAA framework performs the authentication and authorization functions in DataPower. The configuration steps are as followed
- Extract Identity – it extracts the certificate DN (or other information) from the incoming client certificate.
- Extract resource – it extracts the resource/incoming data coming with the request. For example URI or SOAP operation name.
- Authenticate – it validates the certificate by checking if certificate is signed by a good CA.
- Map Credentials – if authentication successful, it maps the DN name to an attribute for search in LDAP or active directory.
- Map resource – it maps the extracted resource/incoming data into a format required for authorization. This is an optional step and can be used as per the requirement.
- Authorization – it checks the mapped credential against active directory or LDAP.
- Audit & Planning – the final optional steps gives option to map the output into a format required for further processing.
Mapping certificates to Active Directory users
To authenticate end users by using their certificate, DataPower maps the certificate to the Active Directory user, and then verifies that certain fields in the certificate match the Active Directory user attributes.
- To map the certificate, DataPower requires a username that it can match to an Active Directory username.
- The common name (CN); for example, “CN=username”.
- The user principal name (UPN); for example, firstname.lastname@example.org.
- After mapping the user, DataPower compares the value of a certificate field to the corresponding Active Directory attribute. If the field comparison is successful, the user is authenticated.