ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

VIPservices Best Practice (VIP Mutual Authentication)

book

Article ID: 150108

calendar_today

Updated On:

Products

VIP Authentication Service

Issue/Introduction

 

Resolution

This article details the best practices for trust points and relevant configurations to implement SSL connections to the Symantec VIP service.
 
To connect to the Symantec VIP service, client applications must use the SSL protocol with mutual authentication. The server can be successfully authenticated by the client application if the client application includes the appropriate trust point from the server certificate chain into its Trusted CA certificate store.
 
Client Applications & Trust Points
 
Symantec VIP Services offer flexibility for clients connecting with our services backend. The clients that connect to VIP Services above are web applications, web services and XML gateway appliances implemented in Java, C, C++, .NET, PHP or other popular languages. These clients support the SSL protocol and should have the ability to configure a trusted certificate store.
 
When using certificate-based mutual authentication, the following actions occur.
  1. The VIP client initiates an HTTPS call.
  2. The server sends back the server certificate chain (SSL certificate and Intermediate CA) up to but not including the root certificate.
  3. The client verifies the server certificate with the trust points that are stored in its local trust store in this case, “DigiCert Global Root CA”.
  4. The client sends the server the VIP certificate.
  5. The server verifies the VIP certificate with the trust points, “VIP Authentication Service CA ”, that is stored in its local trust store.
  6. After the transmission is secured, the client is authenticated and allowed to access protected services. 
Recommendation
 
The SSL server certificates for the Symantec VIP service are signed by the Root CA “DigiCert Global Root CA”. Make certain that this root certificate is included in the trusted CA certificate store configured in client applications. Trusting this root certificate will ensure maximum compatibility with future SSL server certificate renewals/changes and thus help ensure continuous successful client connectivity to the VIP service. Symantec strongly requests that customer applications connecting to these services leverage the Root CA mentioned as the trust anchor and not the Intermediate CA as the Intermediate CAs are subject to change.
 
Conclusion

Symantec best practices ensure continuous connectivity to the Symantec VIP service backend is to leverage the Root CA as a trust point in client applications that need to establish an SSL connection.