How it works
Before the process begins the client and servers certificates are stored in there relevant
keystores. In the case of JAVA they are
jks files. Let's take a look at where the JKS files are saved:
- WSO2 product certificates are stored in the
- Server side certificates are stored in the
These certificates are signed and issued by a certificate authority that allows both the client and server to communicate freely. Now let's look at how it works:
- The Client attempts to access a protected resource and the SSL/TSL handshake process begins.
- The Server presents its certificate, which is the server.crt according to our example as shown above.
- The Client takes this certificate and asks the certificate issued authority for the authenticity and validity of the certificate.
- If the certificate is valid, the client will also provide its certificate to the server.
- The Server takes this certificate and asks the certificate issued authority for the authenticity and validity of the certificate.
- The Client is granted access to the resource it was trying to access earlier.
Enabling Mutual SSL in the WSO2 IS
<IS_HOME>/repository/conf/tomcat/catalina-server.xmlfile and ensure that the
clientAuthattribute in the
Connectortag is set to “
want” as shown below. This is done to disable the certificate authentication on certain occasions (like when working on mobile apps). This makes two-way SSL authentication optional.
.jarfile enabling usage of Mutual SSL is shipped with IS by default from IS versions 5.1.0 and upwards. The
org.wso2.carbon.identity.authenticator.mutualssl_X.X.X.jarfile can be found in the
<IS_HOME>/repository/conf/security/authenticators.xmlfile and add the
disabled="false"attribute within the
<Authenticator>tag of the
MutualSSLAuthenticatorto enable the Mutual SSL Authenticator.
For mutual SSL authentication, the public certificate of the WSO2 Identity Server has to be imported to the truststore of the client and the public certificate of the client has to be imported to the client-truststore of Identity Server.