118 lines
8.3 KiB
HTML
118 lines
8.3 KiB
HTML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE html
|
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
<html lang="en-us" xml:lang="en-us">
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<meta name="security" content="public" />
|
|
<meta name="Robots" content="index,follow" />
|
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|
<meta name="DC.Type" content="concept" />
|
|
<meta name="DC.Title" content="Digital certificates for user authentication" />
|
|
<meta name="abstract" content="Review this information to learn how to use certificates to provide a means of more strongly authenticating users who access iSeries system resources." />
|
|
<meta name="description" content="Review this information to learn how to use certificates to provide a means of more strongly authenticating users who access iSeries system resources." />
|
|
<meta name="DC.Relation" scheme="URI" content="rzahurzahu4aagetstarteddcm.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzahurzahu4adcertsandssl.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzahuissuepublicusercerts.htm" />
|
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />
|
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />
|
|
<meta name="DC.Format" content="XHTML" />
|
|
<meta name="DC.Identifier" content="rzahu4ae-authenticate_w_certs" />
|
|
<meta name="DC.Language" content="en-us" />
|
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|
<!-- US Government Users Restricted Rights -->
|
|
<!-- Use, duplication or disclosure restricted by -->
|
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
|
<title>Digital certificates for user authentication</title>
|
|
</head>
|
|
<body id="rzahu4ae-authenticate_w_certs"><a name="rzahu4ae-authenticate_w_certs"><!-- --></a>
|
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
|
<h1 class="topictitle1">Digital certificates for user authentication</h1>
|
|
<div><p>Review this information to learn how to use certificates
|
|
to provide a means of more strongly authenticating users who access <span class="keyword">iSeries™</span> system resources. </p>
|
|
<p>Traditionally, users receive access to resources from an application or
|
|
system based on their user name and password. You can further augment system
|
|
security by using digital certificates (instead of user names and passwords)
|
|
to authenticate and authorize sessions between many server applications and
|
|
users. Also, you can use Digital Certificate Manager (DCM) to associate a
|
|
user's certificate with that user's <span class="keyword">iSeries</span>
|
|
user profile or another user identity. The certificate then has the same authorizations
|
|
and permissions as the associated user identity or user profile. Alternatively,
|
|
you can use APIs to programmatically use your private Local Certificate Authority
|
|
to issue certificates to non-iSeries users. These APIs provide you with the
|
|
ability to issue private certificates to users when you do not want these
|
|
users to have an <span class="keyword">iSeries</span> user
|
|
profile or other internal user identity.</p>
|
|
<p>A digital certificate acts as an electronic credential and verifies that
|
|
the person presenting it is truly who she claims to be. In this respect, a
|
|
certificate is similar to a passport. Both establish an individual's identity,
|
|
contain a unique number for identification purposes, and have a recognizable
|
|
issuing authority that verifies the credential as authentic. In the case of
|
|
a certificate, a Certificate Authority (CA) functions as the trusted, third
|
|
party that issues the certificate and verifies it as an authentic credential.</p>
|
|
<p>For authentication purposes, certificates make use of a public key and
|
|
a related private key. The issuing CA binds these keys, along with other information
|
|
about the certificate owner, to the certificate itself for identification
|
|
purposes. </p>
|
|
<div class="p">An increasing number of applications now provide support for using certificates
|
|
for client authentication during an SSL session. Currently, these iSeries applications
|
|
provide client authentication certificate support: <ul><li>Telnet server </li>
|
|
<li><span class="keyword">IBM<sup>®</sup> HTTP Server for i5/OS™</span> (powered by
|
|
Apache) </li>
|
|
<li>IBM Directory
|
|
Server</li>
|
|
<li><span class="keyword">iSeries Access for Windows<sup>®</sup></span> (including <span class="keyword">iSeries Navigator</span> Navigator)</li>
|
|
<li>FTP server</li>
|
|
</ul>
|
|
Over time, additional applications may provide client authentication
|
|
certificate support; review the documentation for specific applications to
|
|
determine whether they provide this support.</div>
|
|
<div class="p">Certificates can provide a stronger means of authenticating users for several
|
|
reasons: <ul><li>There is the possibility that an individual might forget his or her password.
|
|
Therefore, users must memorize or record their user names and passwords to
|
|
ensure that they remember them. As a result, unauthorized users may more readily
|
|
obtain user names and passwords from authorized users. Because certificates
|
|
are stored in a file or other electronic location, client applications (rather
|
|
than the user) handle accessing and presenting the certificate for authentication.
|
|
This ensures users are less likely to share certificates with unauthorized
|
|
users unless unauthorized users have access to the user's system. Also, certificates
|
|
can be installed on smart cards as an additional means of protecting them
|
|
from unauthorized usage. </li>
|
|
<li>A certificate contains a private key that is never sent with the certificate
|
|
for identification. Instead, the system uses this key during encryption and
|
|
decryption processing. Others can use the certificate's corresponding public
|
|
key to verify the identity of the sender of objects that are signed with the
|
|
private key. </li>
|
|
<li>Many systems require passwords that are 8 characters or shorter in length,
|
|
making these passwords more vulnerable to guessing attacks. A certificate's
|
|
cryptographic keys are hundreds of characters long. This length, along with
|
|
their random nature, makes cryptographic keys much harder to guess than passwords.</li>
|
|
<li>Digital certificate keys provide several potential uses that passwords
|
|
cannot provide, such as data integrity and privacy. You can use certificates
|
|
and their associated keys to: <ul><li>Assure data integrity by detecting changes to data.</li>
|
|
<li>Prove that a particular action was indeed performed. This is called nonrepudiation.</li>
|
|
<li>Ensure the privacy of data transfers by using the Secure Sockets Layer
|
|
(SSL) to encrypt communication sessions.</li>
|
|
</ul>
|
|
</li>
|
|
</ul>
|
|
</div>
|
|
<p>To learn more about configuring <span class="keyword">iSeries</span> applications
|
|
to use certificates for client authentication during an SSL session, see the <a href="../rzain/rzainoverview.htm">Secure Sockets
|
|
Layer (SSL)</a> topic in the <span class="keyword">iSeries Information Center</span>.</p>
|
|
</div>
|
|
<div>
|
|
<div class="familylinks">
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzahurzahu4aagetstarteddcm.htm" title="Use this information to help you decide how and when you might use digital certificates to meet your security goals. Use this information to learn about any prerequisites you need to install, as well as other requirements that you must consider before using DCM.">Plan for DCM</a></div>
|
|
</div>
|
|
<div class="relconcepts"><strong>Related concepts</strong><br />
|
|
<div><a href="rzahurzahu4adcertsandssl.htm" title="Use this information to learn how to use certificates so that your applications can establish secure communication sessions.">Digital certificates for SSL secure communications</a></div>
|
|
</div>
|
|
<div class="relref"><strong>Related reference</strong><br />
|
|
<div><a href="rzahuissuepublicusercerts.htm" title="Use this information to learn how you can use your Local CA to issue private certificates to users without associating the certificate with an iSeries user profile.">Use APIs to programmatically issue certificates to non-iSeries users</a></div>
|
|
</div>
|
|
</div>
|
|
</body>
|
|
</html> |