Information Center

Client authentication

Client authentication is similar to server authentication except that the telnet server requests a certificate from the client to verify that the client is who it claims to be. The certificate must be an X.509 certificate and signed by a certificate authority (CA) trusted by the server. You can only use client authentication when a server requests a certificate from a client. Not all servers support client authentication, including the Z and I Emulator for Web Redirector. The later versions of the IBM Communications Servers (CS/NT, CS/AIX, etc.) all support client authentication.

When a server requests a certificate, the client has the option to send a certificate or attempt to connect without it. The server allows the connection if the client's certificate can be trusted. When a client attempts to connect without a certificate, the server might give the client access but at a lower security level.

Client requests secure connection Client sends a request for an SSL session to Server.
Server requests certificate Client receives Server's certificate and checks its list of trusted CAs. Since Server's certificate is signed by a trusted CA, Client accepts the certificate. Server asks Client for a certificate that will identify the Client.
Client sends a certificate or tries to establish a session without one Client sends a certificate or tries to establish a session without one.
Server examines certificate and creates secure connection or gives client lower security level If Client sends a certificate, Server checks its list of trusted certificates. If the Client can be trusted, the secure session is established. If Client does not send a certificate, Server establishes a secure connection at a lower level of security.

To configure client authentication:

  1. Obtain certificates for clients.


  2. Securely send the certificate files and their passwords to the clients, or install the certificates in the clients' browsers or security devices.

  3. Configure clients to use TLS/SSL.

When a certificate expires, follow the renewal procedures specified by the CA for that certificate.

Related topics