iWay Service Manager (iSM) maintains a database of private keys that correspond to public keys published in any certificates issued for it. The server software requests the password to this database (called a key store) the first time that it needs to access it. An example would be the first time that a user attempts to access an SSL-enabled server that requires certificate-based client authentication. Key stores are managed in iWay Service Manager by key store providers, which are usually configured with the required password. Some key stores (usually those implemented in hardware such as an nCypher device), can request the password at runtime using a callback mechanism. In either case, once entered, the password need not be reentered during runtime, even when the key store is accessed by other providers or users, such as other SSL-enabled channels. This centralization of the key store access within the provider increases server security.

The client sends both the user certificate and the evidence (the randomly generated piece of data that was digitally signed) across the network. The server uses the certificate and the evidence to authenticate the user identity. At this point the server may optionally perform other authentication tasks, such as checking that the certificate presented by the client is stored in the user entry in an LDAP directory.

The server then continues to evaluate the identified user's access permission for the requested resource. This evaluation process can employ a variety of standard authorization mechanisms, potentially using additional information in an LDAP directory, company databases, and others. On determining a positive evaluation, the server enables the client to access the requested resource.

As certificates replace the authentication portion of the client/server interaction, instead of requiring users to send passwords across the network throughout the day, a single sign-on enables users to enter the private key database password just once, without sending it across the network. For the remainder of the session, the client presents the user certificate to authenticate the user to each new server it encounters. Existing authorization mechanisms based on user identity authentication are not affected.

The following certificates are commonly used with iWay products:

• Client SSL certificates. Identify clients to servers via SSL (client authentication). Typically, the identity of the client is assumed to be the same as the identity of a person, such as an employee of an enterprise.
• Server SSL certificates. Identify servers to clients via SSL (server authentication). You may also use server authentication with or without client authentication. Server authentication is a requirement for an encrypted SSL session, in which personal information sent over the network, such as credit card numbers, cannot easily be intercepted.
• S/MIME certificates. Sign and encrypt e-mail. As with client SSL certificates, the client identity is typically assumed to be the same as the identity of a person, such as an employee in an enterprise. You may use a single certificate as both an S/MIME certificate and an SSL certificate. S/MIME certificates are also used for Form Signing and as part of a Single Sign-On solutions.
• Object-signing certificates. Identify signers of Java code, JavaScript scripts, or other signed files. Software companies sign software distributed over the Internet to provide users with assurance that the software is a legitimate product of their company.
• CA certificates. Identify Certificate Authorities (CAs). Client and server software uses CA certificates to determine what other certificates can be trusted. An administrator can implement some aspects of corporate security policies by controlling the CA certificates stored in each user's copy of the client software.