ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzahu_5.4.0.1/rzahudcmintaccessscen.htm

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
  PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Scenario: Use certificates for external authentication" />
<meta name="abstract" content="In this scenario, you lean when and how to use certificates as an authentication mechanism to protect and limit access by public users to public or extranet resources and applications." />
<meta name="description" content="In this scenario, you lean when and how to use certificates as an authentication mechanism to protect and limit access by public users to public or extranet resources and applications." />
<meta name="DC.Relation" scheme="URI" content="rzahudcmscenariosoverview.htm" />
<meta name="DC.Relation" scheme="URI" content="rzahustep1completeplanningworksheets.htm" />
<meta name="DC.Relation" scheme="URI" content="rzahustep2createaserverorclientcertificaterequest.htm" />
<meta name="DC.Relation" scheme="URI" content="rzahustep3configureapplicationtousessl.htm" />
<meta name="DC.Relation" scheme="URI" content="rzahustep4importandassignthesignedpubliccertificate.htm" />
<meta name="DC.Relation" scheme="URI" content="rzahustep5startapplicationinsslmode.htm" />
<meta name="DC.Relation" scheme="URI" content="rzahustep6optionaldefineacatrustlistforanapplicationthatrequires.htm" />
<meta name="DC.Relation" scheme="URI" content="rzahurzahu66adcmstart.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzahudcmintaccessscen" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Scenario: Use certificates for external authentication</title>
</head>
<body>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<div class="nested0" id="rzahudcmintaccessscen"><a name="rzahudcmintaccessscen"><!-- --></a><h1 class="topictitle1">Scenario: Use certificates for external authentication</h1>
<div><p>In this scenario, you lean when and how to use certificates as
an authentication mechanism to protect and limit access by public users to
public or extranet resources and applications.</p>
<div class="section"><h4 class="sectionscenariobar">Situation:</h4><p>You
work for the MyCo, Inc insurance company and are responsible for maintaining
different applications on your company's intranet and extranet sites. One
particular application for which you are responsible is a rate-calculating
application that allows hundreds of independent agents to generate quotes
for their clients. Because the information that this application provides
is somewhat sensitive, you want to make sure that only registered agents can
use it. Further, you want to eventually provide a more secure method of user
authentication to the application than your current user name and password
method. You are concerned additionally that unauthorized users might capture
this information when it is transmitted over an untrusted network. Also, you
have concerns that different agents might share this information with each
other without authorization to do so.</p>
<p>After some research, you decide
that using digital certificates can provide you with the security that you
need to protect the sensitive information entered into and retrieved from
this application. The use of certificates allows you to use Secure Sockets
Layer (SSL) to protect the transmission of the rate data. Although eventually
you want all agents to use a certificate to access the application, you know
that your company and your agents may need some time before this goal can
be achieved. In addition to the use of certificate client authentication,
you plan to continue the current use of user name and password authentication
because SSL protects the privacy of this sensitive data in transmission. </p>
<p>Based
on the type of application and its users and your future goal of certificate
authentication for all users, you decide to use a public certificate from
a well known Certificate Authority (CA) to configure SSL for your application. </p>
</div>
<div class="section"><h4 class="sectiontitle">Scenario advantages</h4><div class="p">This scenario has the following
advantages:  <ul><li>Using digital certificates to configure SSL access to your rate calculation
application ensures that the information transmitted between the server and
client is protected and private.</li>
<li>Using digital certificates whenever possible for client authentication
provides a more secure method of identifying authorized users. Even where
the use of digital certificates is not possible, client authentication by
means of user name and password authentication is protected and kept private
by the SSL session, making the exchange of such sensitive data more secure. </li>
<li>Using <em>public</em> digital certificates to authenticate users to your
applications and data in the manner that this scenario describes is a practical
choice under these or similar conditions:  <ul><li>Your data and applications require varying degrees of security.</li>
<li>There is a high rate of turnover among your trusted users.</li>
<li>You provide public access to applications and data, such as an Internet
Web site, or an extranet application.</li>
<li>You do not want to operate your own Certificate Authority (CA) based on
administrative reasons, such as a large number of outside users who access
your applications and resources.</li>
</ul>
</li>
<li>Using a public certificate to configure the rate calculating application
for SSL in this scenario decreases the amount of configuration that users
must perform to access the application securely. Most client software contains
CA certificates for most well-known CAs.</li>
</ul>
</div>
</div>
<div class="section"><h4 class="scenariobar">Objectives</h4><p>In this scenario,
MyCo, Inc. wants to use digital certificates to protect the rate calculating
information that their application provides to authorized public users. The
company also wants a more secure method of authenticating those users who
are allowed to access this application when possible.</p>
<div class="p">The objectives
of this scenario are as follows: <ul><li>Company public rate calculating application must use SSL to protect the
privacy of the data that it provides to users and receives from users.</li>
<li>SSL configuration must be accomplished with public certificates from a
well-known public Internet Certificate Authority (CA). </li>
<li>Authorized users must provide a valid user name and password to access
the application in SSL mode. Eventually, authorized users must be able to
use one of two methods of secure authentication to be granted access to the
application. Agents must present either a public digital certificate from
a well-known Certificate Authority (CA) or a valid user name and password
if a certificate is unavailable. </li>
</ul>
</div>
</div>
<div class="section"><h4 class="scenariobar">Details</h4><p>The following
figure illustrates the network configuration in this scenario: </p>
<br /><img src="rzahu013.gif" alt="Fig. 1 SSL communications between&#xA;iSeries A and insurance agent clients (text description follows figure)" /><br /><p>The figure illustrates the following information about the situation
for this scenario:</p>
<div class="p"><span class="uicontrol">Company public server – iSeries A</span><ul><li><span class="keyword">iSeries™</span> A is the server
that hosts the company's rate calculating application. </li>
<li><span class="keyword">iSeries</span> A runs <span class="keyword">i5/OS™</span> Version 5 Release 4 (V5R4).</li>
<li><span class="keyword">iSeries</span> A has Digital Certificate
Manager (<span class="keyword">i5/OS</span> option 34)
and <span class="keyword">IBM<sup>®</sup> HTTP Server for i5/OS</span> (5722–DG1) installed
and configured.</li>
<li><span class="keyword">iSeries</span> A runs the rate
calculating application, which is configured such that it: <ul><li>Requires SSL mode.</li>
<li>Uses a public certificate from a well-known Certificate Authority (CA)
to authenticate itself to initialize an SSL session.</li>
<li>Requires user authentication by user name and password. </li>
</ul>
</li>
<li><span class="keyword">iSeries</span> A presents its
certificate to initiate an SSL session when Clients B and C access the rate
calculating application.</li>
<li>After initializing the SSL session, <span class="keyword">iSeries</span> A
requests that Clients B and C provide a valid user name and password before
allowing access to the rate calculating application.</li>
</ul>
</div>
<div class="p"><span class="uicontrol">Agent client systems – Client B and Client C</span> <ul><li>Clients B and C are independent agents who access the rate calculating
application. </li>
<li>Clients B and C client software has an installed copy of the well-known
CA certificate that issued the application certificate.</li>
<li>Clients B and C access the rate calculating application on <span class="keyword">iSeries</span> A,
which presents its certificate to their client software to authenticate its
identity and initiate an SSL session.</li>
<li>Client software on Clients B and C is configured to accept the certificate
from <span class="keyword">iSeries</span> A for the purpose
of initializing an SSL session.</li>
<li>After the SSL session begins, Clients B and C must provide a valid user
name and password before <span class="keyword">iSeries</span> A
grants access to the application. </li>
</ul>
</div>
</div>
<div class="section"><h4 class="scenariobar">Prerequisites and assumptions</h4><p>This
scenario depends on the following prerequisites and assumptions: </p>
<ul><li>The rate calculating application on <span class="keyword">iSeries</span> A
is a generic application that can be configured to use SSL. Most applications,
including many <span class="keyword">iSeries</span> applications,
provide SSL support. SSL configuration steps vary widely among applications.
Consequently, this scenario does not provide specific instructions for configuring
the rate calculating application to use SSL. This scenario provides instructions
for configuring and managing the certificates that are necessary for any application
to use SSL.</li>
<li>The rate calculating application may provide the capability of requiring
certificates for client authentication. This scenario provides instructions
for how to use Digital Certificate Manager (DCM) to configure certificate
trust for those applications that provide this support. Because the configuration
steps for client authentication vary widely among applications, this scenario
does not provide specific instructions for configuring certificate client
authentication for the rate calculating application. </li>
<li><span class="keyword">iSeries</span> A meets the <a href="rzahurzahureqdcmrequirements.htm#rzahureq_dcm_requirements">requirements</a> for
installing and using Digital Certificate Manager (DCM)</li>
<li>No one has previously configured or used DCM on <span class="keyword">iSeries</span> A.</li>
<li>Whoever uses DCM to perform the tasks in this scenario must have *SECADM
and *ALLOBJ special authorities for their user profile.</li>
<li><span class="keyword">iSeries</span> A does not have
an IBM Cryptographic
Coprocessor installed. </li>
</ul>
</div>
<div class="section"><h4 class="scenariobar">Configuration tasks</h4></div>
</div>
<div>
<ol>
<li class="olchildlink"><a href="rzahustep1completeplanningworksheets.htm">Complete planning work sheets</a><br />
</li>
<li class="olchildlink"><a href="rzahustep2createaserverorclientcertificaterequest.htm">Create a server or client certificate request</a><br />
</li>
<li class="olchildlink"><a href="rzahustep3configureapplicationtousessl.htm">Configure application to use SSL</a><br />
</li>
<li class="olchildlink"><a href="rzahustep4importandassignthesignedpubliccertificate.htm">Import and assign the signed public certificate</a><br />
</li>
<li class="olchildlink"><a href="rzahustep5startapplicationinsslmode.htm">Start application in SSL mode</a><br />
</li>
<li class="olchildlink"><a href="rzahustep6optionaldefineacatrustlistforanapplicationthatrequires.htm">(Optional): Define a CA trust list for an application that requires</a><br />
</li>
</ol>

<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzahudcmscenariosoverview.htm" title="Use this information to review two scenarios that illustrate typical certificate implementation schemes to help you plan your own certificate implementation as part of your iSeries security policy. Each scenario also provides all needed configuration tasks you must perform to employ the scenario as described.">DCM scenarios</a></div>
</div>
<div class="reltasks"><strong>Related tasks</strong><br />
<div><a href="rzahurzahu66adcmstart.htm" title="Use this information to learn how to access the Digital Certificate Manager (DCM)feature on your system.">Start Digital Certificate Manager</a></div>
</div>
</div></div>

</body>
</html>