I have an application that is currently deployed in WAS 220.127.116.11. This application connects to another server via webservice and the host of the other server requires me to connect using TLS 1.2 and through a mutual SSL connection.
I have already successfully imported the (other) server's host certificate in the truststore of my WAS but as this is mSSL and not regular 1 way SSL, I also need to set up the client certificate to be sent back to the other server to verify the connection.
How do I do this? I cannot seem to find any options in the WAS admin console that specifies a client certificate to be sent to a remote server for mSSL.
Some points to consider:
[11/28/16 20:57:15:836 CST] 000000e9 SystemOut O [Raw read]: length = 5
[11/28/16 20:57:15:836 CST] 000000e9 SystemOut O 0000: 15 03 03 00 02 .....
[11/28/16 20:57:15:836 CST] 000000e9 SystemOut O [Raw read]: length = 2
[11/28/16 20:57:15:836 CST] 000000e9 SystemOut O 0000: 02 28 ..
[11/28/16 20:57:15:836 CST] 000000e9 SystemOut O Thread-142, READ: TLSv1.2 Alert, length = 2
[11/28/16 20:57:15:836 CST] 000000e9 SystemOut O Thread-142, RECV TLSv1.2 ALERT: fatal, handshake_failure
You can use the 'Dynamic outbound endpoint' functionality to associate a certificate with connections to the target server. To set up the Dynamic outbound endpoint, see: Associating a Secure Sockets Layer configuration dynamically with an outbound protocol and remote secure endpoint.
The connection information is of the form
*,hostname,port. Once you select your existing SSL configuration (CellDefaultSSLSettings), click on the 'Get certificate aliases' button. Then select your client-side certificate from the drop-down.
This should allow you to perform mutual authentication correctly. Note that your client-side certificate must also be present in the trust store of your target server.