• Post Reply Bookmark Topic Watch Topic
  • New Topic

SSL/Certificates Queries  RSS feed

 
Vaibhav Gargs
Ranch Hand
Posts: 116
2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
We are developing a Web Service which will be invoked by multiple clients. We need to secure this webservice and deployed on IBM Websphere. We will be using SSL communication for this webservice and have following queries:

If we have 4 client apps calling this 1 webservice, then

1. How many keystore certificates we need to have: 1 or 4? Why?

2. How many truststore certificates we need to have: 1 or 4? Why?

3. What will be the purpose of keystore and truststore?

4. Do we need to have both keystore & truststore? Or can we have just either of them?

Your inputs are highly appreciated.

Thanks.
 
Tim Moores
Saloon Keeper
Posts: 4035
94
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Unless you want to use certificates to authenticate the client (which would be an unusual setup), you would only have one server certificate.

Presumably there is documentation available for Websphere (searching for "websphere ssl" brings up a bunch of promising results), but for a general introduction on what you need to do to enable SSL, and why, start here: http://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html
 
Vaibhav Gargs
Ranch Hand
Posts: 116
2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Tim for your response.

If we have to secure our webservice, doesn't that require to provide the client certs as well along with the server certs.

Moreover, in what particular scenario, we should use client certificates? Since if we don't have server certificate, no one will be able to access the server. So, why the client certificates are needed at all?
 
Tim Moores
Saloon Keeper
Posts: 4035
94
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If we have to secure our webservice, doesn't that require to provide the client certs as well along with the server certs.

That depends on what, exactly, you mean by "securing the web service". Security can take many forms, depending on what you are trying to protect against what attacks. But while client certs have a role to play, they are not widely used.

in what particular scenario, we should use client certificates?

Client certificates are used for authentication of the client to the server, where as the server certificate is used for authenticating the server to the client (usually the more important part, especially on the public internet where the client is often anonymous). Clients often use passwords to authenticate themselves; over an encrypted channel, that is generally considered sufficient.

Since if we don't have server certificate, no one will be able to access the server.

To be more precise: ... no one will be able to access the server securely.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!