X.509 certificates

WebSphere Commerce supports client certificate logon as a security mechanism, protecting both site and customer. The X.509 certificate supplements basic authentication for customers entering a site. A customer holding this certificate can access a secured WebSphere Commerce site, which has been enabled for client certificate authentication.

When you create a WebSphere Commerce instance, you select the web server Authentication Mode. The Authentication Mode is either Basic or X.509. The default is Basic authentication, which is logon authentication with a login ID and password. To activate logon authentication with X.509 certificates, select X.509 authentication.

Before you can begin using X.509 certificates, you must arrange for a trust relationship with an external certificate authority to handle electronic authentication of the X.509 certificates. If you are using Sun Java System Web Server as your web server, you need to follow additional steps to enable the X.509 certificates on your web server. For more information, see the Sun Java System Web Server product documentation.

X.509 users are accessible through the WebSphere Commerce Accelerator. Before X.509 certificate authentication is enabled, the administrator must ensure that there is a client certificate, which is recognized by the server certificate and installed on the browser. Otherwise, the administrator will be unable to logon. When the administrator accesses the Administration Console login window for the first time, a certificate customer record is created and a customer cookie is issued, similar to when a normal customer accesses a secure URL. After the administrator logs on to the Administration Console using the correct ID and password, an administrator cookie is issued, replacing the customer cookie. An administrator will then have two user records: the administrator user and the previous customer user.

An error message is displayed when:

  • A user's X.509 certificate has been revoked by a site
  • A client certificate does not contain the necessary information to guarantee that the customer is unique in WebSphere Commerce.

The X.509 error view task is registered as X509 ErrorView in the Struts configuration files.

A typical authentication scenario

The following steps illustrate a typical authentication scenario for X.509 certificates:

  1. A customer accesses:
    • A non-secure URL through http://

      No authentication is performed.

    • A secure URL through https://

      The customer is prompted to select a client certificate.

    • A URL command and is redirected to https:// because of the access mode of the URL command

      The customer is prompted to select a client certificate.

  2. The WebSphere Commerce Server uses the information from the client certificate to see whether the customer exists in the WebSphere Commerce USERS table:
    • If the customer exists with a valid certificate status, the customer is authenticated and the shopping flow resumes.
    • If the customer does not exist:
      • The customer is automatically registered in the WebSphere Commerce database and the shopping flow resumes.
Note: Only the information found in the CERT_X509 table is taken from the certificate. However, customer address information could be taken from the X.509 client certificate, if it is available.