IBM i Global

We have an IWS application server configured to use SSL.  A deployed REST service using that also uses basic authentication.  In testing the service, it is only requiring the basic authentication and not the certificate.  I thought the service would require both the certificate and basic authentication.  Is that not how it works or is there some configuration I'm missing?

------------------------------
Amy Vozza
------------------------------

What do you mean by "require the certificate"?  SSL always uses a certificate.  It can't function without it.

Do you mean that you enabled client-side certificates and you only want to allow clients that supply your particular certificate to connect?  That would be an unusual setup.  I would think it's possible, but haven't tried it or seen anyone else try it.  Client-side certificates are very rare.

Or do you mean that it was set up for SSL, but is still allowing plain-text connections?

------------------------------
Scott Klement
Director
Profound Logic Software
Oak Creek WI
------------------------------

Original Message:
Sent: Mon May 09, 2022 12:44 PM
From: Amy Vozza
Subject: SSL Configuration and IWS Service

We have an IWS application server configured to use SSL.  A deployed REST service using that also uses basic authentication.  In testing the service, it is only requiring the basic authentication and not the certificate.  I thought the service would require both the certificate and basic authentication.  Is that not how it works or is there some configuration I'm missing?

------------------------------
Amy Vozza
------------------------------

I didn't enable client-side certificates.  I thought that part of the SSL was that it would require clients to provide our certificate to connect.  So it sounds like SSL with that is only for encryption and then we can add basic authentication or else any with the URL could connect.  Is that correct?

------------------------------
Amy Vozza
------------------------------

Original Message:
Sent: Mon May 09, 2022 03:53 PM
From: Scott Klement
Subject: SSL Configuration and IWS Service

What do you mean by "require the certificate"?  SSL always uses a certificate.  It can't function without it.

Do you mean that you enabled client-side certificates and you only want to allow clients that supply your particular certificate to connect?  That would be an unusual setup.  I would think it's possible, but haven't tried it or seen anyone else try it.  Client-side certificates are very rare.

Or do you mean that it was set up for SSL, but is still allowing plain-text connections?

------------------------------
Scott Klement
Director
Profound Logic Software
Oak Creek WI

Original Message:
Sent: Mon May 09, 2022 12:44 PM
From: Amy Vozza
Subject: SSL Configuration and IWS Service

We have an IWS application server configured to use SSL.  A deployed REST service using that also uses basic authentication.  In testing the service, it is only requiring the basic authentication and not the certificate.  I thought the service would require both the certificate and basic authentication.  Is that not how it works or is there some configuration I'm missing?

------------------------------
Amy Vozza
------------------------------

SSL was originally conceived by Netscape as a way to protect online shopping stores.  For example, something like Amazon.com

When you go to Amazon and place an order, SSL encrypts the connection and provides a crypto certificate that "proves" that you are really connected to Amazon.  (After all, you don't want to send your payment to someone else!)  So it's purpose is to show the client-side (the web browser in the Amazon example, or the REST API caller in yours) that the server really is who it says that it is.

It does not make any effort to prove who the client is, by default.  You don't have to prove to Amazon that you're really Amy Vozza. (Not via SSL at any rate, it'd be proven by your userid/password, credit card, etc, instead.)   And it would be an administrative nightmare if every Amazon customer everywhere in the world had to install a special crypto certificate to browse Amazon's site, that'd never work.

So, it's just the server-side certificate that is needed in 99.9% of SSL configurations, not the client-side.  But yes, it does provide encryption.  And the userid/password provided via basic authentication should prove that the client-side is who they claim to be.

So, yes... you're correct, SSL is only to provide encryption, and to prove the identity of the server. The basic authentication is meant to prove the identity of the client.

------------------------------
Scott Klement
Director
Profound Logic Software
Oak Creek WI
------------------------------

Original Message:
Sent: Mon May 09, 2022 04:07 PM
From: Amy Vozza
Subject: SSL Configuration and IWS Service

I didn't enable client-side certificates.  I thought that part of the SSL was that it would require clients to provide our certificate to connect.  So it sounds like SSL with that is only for encryption and then we can add basic authentication or else any with the URL could connect.  Is that correct?

------------------------------
Amy Vozza

Original Message:
Sent: Mon May 09, 2022 03:53 PM
From: Scott Klement
Subject: SSL Configuration and IWS Service

What do you mean by "require the certificate"?  SSL always uses a certificate.  It can't function without it.

Do you mean that you enabled client-side certificates and you only want to allow clients that supply your particular certificate to connect?  That would be an unusual setup.  I would think it's possible, but haven't tried it or seen anyone else try it.  Client-side certificates are very rare.

Or do you mean that it was set up for SSL, but is still allowing plain-text connections?

------------------------------
Scott Klement
Director
Profound Logic Software
Oak Creek WI

Original Message:
Sent: Mon May 09, 2022 12:44 PM
From: Amy Vozza
Subject: SSL Configuration and IWS Service

We have an IWS application server configured to use SSL.  A deployed REST service using that also uses basic authentication.  In testing the service, it is only requiring the basic authentication and not the certificate.  I thought the service would require both the certificate and basic authentication.  Is that not how it works or is there some configuration I'm missing?

------------------------------
Amy Vozza
------------------------------