Certificate Authentication Options

You can authenticate a remote trading partner using certificate authentication. Certificate authentication uses SSL client authentication and is optional. Three methods of certificate authentication are available to allow you the flexibility to choose how you want to authenticate trading partners using x.509 certificates. Certificate authentication options include no authentication, local authentication, or authentication using Sterling External Authentication Server. Authentication using Sterling External Authentication Server provides the highest level of security.

Option

Description

Additional Certificate Authentication Using Sterling External Authentication Server (Recommended)
This method provides the most secure method of certificate authentication. Configure SSL client authentication to use Sterling External Authentication Server to perform additional authentication on the certificate. Sterling External Authentication Server can perform the following authentications:
  • Certificate Revocation List (CRL) checking—validates that the certificate has not been revoked.
  • Common name check or subject name lookup— validates that the certificate is issued to a trusted trading partner by looking up the name at your LDAP server.
  • Binary comparison—compares the certificate received to a public certificate.
  • Bind certificate to an IP address—validates that the certificate and IP address are associated and that the certificate is presented by the IP address identified.
  • Custom Exit—transmit the certificate to your java program to interface with internal certificate validation routines.
Choose this option to enforce the following security policy requirements:
  • Enforce multiple factors of authentication in the DMZ and authenticate the trading partner connection using SSL client authentication and user authentication.
  • Enforce a single factor of authentication in the DMZ and you plan to authenticate the trading partner connection using SSL client authentication.
  • To further authenticate the client certificate using a mechanism external to Secure Proxy.

Local Certificate Authentication

If SSL client authentication is configured, Secure Proxy requests a valid certificate from the trading partner. The certificate is validated against the trusted root.

Choose this option to enforce the following security policy requirements:
  • Enforce multiple factors of authentication in the DMZ and authenticate using SSL client authentication and user authentication.
  • Enforce a single factor of authentication in the DMZ and authenticate using SSL client authentication.
  • Authenticate using SSL client authentication and do not use Sterling External Authentication Server to provide certificate validation.

No Certificate Authentication

You can configure Secure Proxy so that the remote trading partner certificate is not authenticated. Either disable SSL security or turn on SSL security but do not enforce SSL client authentication. In both configurations, Secure Proxy will not require the client to send a certificate for authentication.

Choose this option to enforce the following security policy requirements:
  • Enforce a single factor of authentication in the DMZ and authenticate a trading partner using user authentication.
  • You require an SSL session break in the DMZ but you do not want to authenticate the trading partner. In this case, you do not enforce SSL client authentication to Secure Proxy nor do you authenticate the user.
  • The session with the remote trading partner is not secure and does not use SSL. The trading partner does not present a certificate.