It's all about the answers!

Ask a question

How to configure Client Certificate Authentication with Jazz Authorization Server (JTS 6.0.1)?


John Rauser (1123) | asked Feb 24 '16, 5:29 p.m.
edited Feb 24 '16, 8:07 p.m.
Hello, I am trying to set up Client Certificate Authentication with JTS 6.0.1 using Jazz Authorization Server (JAS) so that I a user can log in with certificate only and not have to enter a name and password.

I followed the instructions here to enable client certificate authentication. The problem is, it does not appear to do anything. 

I am using the flat localUserRegistry.xml as my user database and I set up a demoCA using OpenSSL, issued myself a certificate with the Common Name "ADMIN". I have installed the certificate in my browser, however when I go to authenticate, JAS still presents me with the FORM authentication, and I can log in using any of the users in localUserRegistry.xml. The certificate appears to do nothing at all. 

I feel like I am missing a next step, especially with regard to authenticating without a password. I cannot find any other documentation on configuring Client Certificate Authentication with Jazz Auth Server. Help!!

One answer



permanent link
Donald Nong (14.5k614) | answered Feb 24 '16, 10:01 p.m.
If I understand correctly, the linked document is a bit misleading, particularly with the first sentence. When a client certificate (for an SSL connection) is configured (to be required), a client _has to_ provide a certificate in order to establish an SSL connection with the server. The client certificate does not appear to have anything to do with the SSO protocol (SAML) that JAS is using. In other words, I don't think configuring a client certificate can eliminate the need for a  prompt for username and password.

I think you should be looking at the Kerberos SSO option.
https://www-01.ibm.com/support/knowledgecenter/SSYMRC_6.0.2/com.ibm.jazz.install.doc/topics/c_kerSso_config.html?lang=en

Your answer


Register or to post your answer.


Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.