X.509 client authentication allows clients to authenticate to servers with certificates rather than with a user name and password by leveraging the X.509 public key infrastructure (PKI) standard.
Typical installations handles this process for you, if needed the manual instructions are as follows:
Prerequisite
Using the procedure described for a manual configuration inSecuring the Session Server to MSS verify that a trusted certificate has been installed in the certificate store. The procedure may vary depending on your operating system and browser.
Basic steps:
Install the signing authorities certificate into MSS and Reflection ZFE.
Restart the servers.
Configure X.509 in the Management and Security Server Administrative Console.
Step 1. Install the signing authorities certificate into MSS and Reflection ZFE
MSS’s trusted store may already contain your signing authority certificate. This is often the case with well-known certificate signing authorities, and if so, then you can skip this step.
To check:
If your certificate is not listed you need to install your signing root CA into MSS and into the Reflection ZFE session server following the prompts and documentation in the Administrative Console.
To install the certificate into the Reflection ZFE session server:
In <RZFE_install_directory>\sessionserver\etc import the certificate: keytool -importcert -file <cert-file> -alias <alias-to-store-cert-under> -keystore servletcontainer.bcfks -storetype bcfks -providername BCFIPS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath ../lib/bc-fips-1.0.1.jar -storepass changeit
Step 2. Restart all the servers
For the configuration to take effect, you must restart all servers.
Step 3. Configuring X.509 with LDAP fail over in the MSS Administrative Console
Once the certificates are in place, you can enable X.509 with LDAP fail over in . See the Administrative Console online help for descriptions of the configuration options.