Client-Cert authentication uses a certificate or other custom tokens in order to authenticate a user. The token is "mapped" to a user present in the Converged Application Server security realm in which the Servlet is deployed. SIP Servlets that want to use Client-Cert authentication must set the auth-method element to CLIENT-CERT in their sip.xml deployment descriptor.

The token used for Client-Cert authentication can be obtained in several different ways:

• X509 Certificate from SSL: In the most common case, an X509 certificate is derived from a client token during a two-way SSL handshake between the client and the server. The SIP Servlet can view the resulting certificate in the javax.servlet.request.X509Certificate request attribute. This method for performing Client-Cert authentication is the most common and is described in the SIP Servlet specification (JSR-116). Converged Application Server provides two security providers that can be used to validate the X509 certificate; see "Configuring SSL and X509 for Converged Application Server".

• WL-Proxy-Client-Cert Header: Converged Application Server provides an alternate method for supplying a Client-Cert token that does not require a two-way SSL handshake between the client and server. Instead, the SSL handshake can be performed between a client and a proxy server or load balancer before reaching the destination Converged Application Server. The proxy generates the resulting X509 certificate chain and encrypts it using base-64 encoding, and finally adds it to a special WL-Proxy-Client-Cert header in the SIP message. The server hosting the destination SIP Servlet then uses the WL-Proxy-Client-Cert header to obtain the certificate. The certificate is also made available by the container to Servlets via the javax.servlet.request.X509Certificate request attribute.

  To use this alternate method of supplying client tokens, you must configure Converged Application Server to enable use of the WL-Proxy-Client-Cert header; see "Configuring Converged Application Server to Use WL-Proxy-Client-Cert". You must also configure an X509 Identity Asserter provider as described in "Configuring SSL and X509 for Converged Application Server".

SIP Servlets can also use the CLIENT-CERT auth-method to implement perimeter authentication. Perimeter authentication uses custom token names and values, along with a custom security provider, to authenticate clients. See "Supporting Perimeter Authentication with a Custom IA Provider" for a summary of steps required to implement perimeter authentication.