Hi,

  WAS 6.1.0.35 Windows
    
  We have WAS security configured to require user certificate. It's authenticating well, but we want to know if its posibble configure the next behavior at the WAS level.  We supose that at code level is posibble, taking the OID from certificate f.e.
 
             CA certificate
            /              \
       Sub CA1    Sub CA2
       
  We want certificates from Sub CA1 to be allowed but from Sub CA2 NO. Sub CA2 certificates are valid and not revoked.
 
  Maybe some configuration at VMM level?
 
  Thanks in advanced.
 
regards

Gabriel - 

Can you explain a bit more about your scenario?  I'm having a bit of trouble understanding what you're trying to accompish...

As I understand it, you have a central CA which all certs are validated against.  You then have secondary CAs, and you want something to use these secondary CAs?


Is the authentication required at the WebSphere Admin Console level to log in to the DMGR?  

Or, are you looking to restrict the application such that only member of the the Sub CA1 level can access the app?

I've not had a requirement to impliment this in our environment, so I may be of limitted help.  However, it does sound like you might be looking to leverage VMM/ federated repositories in WebSphere.

The v6.1 Security Handbook (www.redbooks.ibm.com/redbooks/pdfs/sg246...) has some documentation, but you might want to take a look at the v7.0 redbook for more information (www.redbooks.ibm.com/redbooks/pdfs/sg247...)

If you can explain more, I'll try and assist the best I can.

Regards,
Erik 

Hi Erik,

  I will try to explain better.
 
  We have IIS with Plugin and WAS 6.1.
 
  The requirement is for application authentication not for WAS Admin console.
 
  Yes, we are looking to restrict (if its posible at IIS or WAS level) the application such that only members with Sub CA1 level certificates can access the app. Perhaps breaking the chain of certificates?


          CA certificate
            /              \
       Sub CA1          
          /                  \
 Certificate 1    Certificate 2 (Not allowed)


 
  Now is working fine with all certificates.

  Thank you very much for your support Erik.

Regards

Try taking a look at this link regarding restricting access to web sites based on certificates Gabriel:  ondrej.wordpress.com/2010/01/24/iis-7-an...

We haven't had to do this, but I do have quite a bit of first hand experience with IIS and some with setting up multiple sites in IIS and having to require them to all use SSL.  It's do-able, but a bit of a pain. 

Which version of IIS are you running and are there other web sites on the same IIS install?

Erik 

Hi Erik,

 Thank you, thank you very much, for the article (and your time) clarifies many concepts.
 
 " a CA certificate is sort of a master certificate that is ultimately trusted and that is used to sign other, lower level certificates. If a lower level certificate is signed by a CA certificate and a given computer trusts the CA that issued the CA certificate, it will implicitly trust the lower level certificate as well."
 
             CA certificate
            /              \
       Sub CA1          
          /                  \
 Certificate 1    Certificate 2 (Not allowed)
 
 This is what we have seen, that if we have CA certificate, no matter if we haven't Sub CA2, certificate 2 is allowed.
 
 when I have put your information on the table, the "requirements" has changed. Now they are not interested in limit the Subs CAs but yes in limit to certificate policies OIDs.
 
   The certificate policies (3.1)
   www.ietf.org/rfc/rfc2527.txt
   
    "A certificate policy, which needs to be recognized by both the issuer and user of a certificate, is represented in a certificate by a unique, registered Object Identifier"
    
 I will ask the version of the IIS and more information (is like a broken telephon).

 As I say, thank you very much for your time Erik

Kind regards,

Glad this is proving to be of some help Gabriel!  I don't think how certificates work was really in question (from my end.)  It was determining at what level the security would be enforced...

If you have your security enforced at the IIS level, just make sure you do NOT update the virual hosts for the application in websphere to allow users to hit the application by specifying the host and port combo.  If the Virtual Host in WebSphere contains these entries, users could bypass the certificate check at IIS and violate the requirements the business is putting on you.

While you are investigating the IIS version, do you know whether the IIS environment hosts other web sites?  This tends to complicate things when certificates come into play, as an FYI. 

Hi Erik
 
  They have IIS 6 and there are more sites but only in one with plugin and redirecting to websphere portal (not WAS only).
 
  Finally with your article and certificates policies rfc the solution determined is to only require and validate certificates at IIS or WAS level and then analyze the certificate and do whatever is needed (developing).
 
  Sure Erik, if there are certificates  everything is more complicated
 
  Thank you very much for your support. You have a beer waiting
 
Kind regards,