Mutual-authentication with web services

Question

Currently, I\'ve been successful implementing Mutual Authentication security so long as the client accesses the website using a web browser, because browsers take care of al

Answer 1

For mutual authentication with SSL (aka two-way SSL) outside a browser, you'll need... Well, actually, let's see what you need for one-way SSL first:

1. A server keystore
2. A client truststore

The server keystore contains the server's (possibly self-signed) certificate and private key. This store is used by the server to sign messages and to return credentials to the client.

The client truststore contains the server's (self-signed) certificate (extracted from the server keystore into a stand-alone certificate, without the server private key). This is required if the certificate is not signed by a trusted CA for which you already have a certificate in the truststore bundled with the JRE. This step allows to create a chain of trust.

With this, you can implement one-way SSL (the traditional use case).

To implement two-way SSL, you need to make this setup "symmetric" so we'll need to add:

1. A client keystore
2. A server truststore

The client keystore contains the client's (possibly self-signed) certificate and private key. This store is used by the client for the same purpose than the server keystore i.e. to send client credentials to the server during the TLS mutual authentication handshake.

The server truststore contains the clients (self-signed) standalone certificates (extracted from the clients keystore into stand-alone certificates, without the clients private key). This is required for the exact same reasons as previously mentioned.

Some resources to help you to generate all this stuff and to implement the final solutions:

• The Fifteen Minute Guide to Mutual Authentication
• Two-Way SSL in Weblogic for Developers
• Using JAX-WS-Based Web Services with SSL
• Mutual Authentication for Web Services: A Live Example