Mutual SSL/TSL authentication
In contrast to usual 1-way SSL where client verifies the identity of the server, in mutual SSL, the server will also validate the identity of the client, so that both parties trust each other. This build a system with very tight security and avoid any need of username/password to be presented from the client, as long as the server is aware of which certificate belongs to which client. Let's take a look at how it all works,
1. Client tries to access a protected resource and the SSL/TSL hand shake process begins.
Before the process begins the client and server's certificates are stored in there relevant keystores. In case of Java these are jks files, and in WSO2 products certificates are stored in wso2carbon.jks and clienttruststore.jks in server side while the Android agent side certificates are stored in bouncycastle keystores(bks) files found in res/raw in Android agent source code.
These certificates are signed and issued by a certificate authority that both client and server are capable of communicating freely.
2. Server presents it's certificate which is server.crt according to our example.
3. Client takes this certificate and ask the certificate issued authority for the authenticity and validity of the certificate.
4. If the certificate is valid, in mutual SSL, client will also provide it's certificate to server.
5. Server takes this certificate and ask the certificate issued authority for the authenticity and validity of the certificate.
6. Client is granted access to the resource it was trying to access earlier.
Comments
Post a Comment