I'd like to turn on client authentication on WAS liberty profile so that the communication b/w the web server and the app server is in mutual SSL.

On IHS, I have a plugin file to FW the traffic to the app server in HTTPS with a keyring and stashfile. It is working and FW the traffic to the WLP.

On WLP's server.xml I turn on the client authentication to enforce the WLP to authenticate the certificate by giving clientAuthentication="true" in the <ssl> element.

<ssl id="defaultSSLConfig" keyStoreRef="defaultKeyStore" trustStoreRef="defaultTrustStore" clientAuthentication="true" />

I try to validate this by directly hitting the app server using browser with https address (without any client certificate) and expected to get a access denied. And to access the app server via the app server should grant access if mutual SSL is up and running. However, both hitting the app server directly or via web server, I can access the resource.

This set up clearly isn't correct or not complete. Any thoughts?

I have it resolved. What I missed was the <sslOptionRef id="defaultSSLConfig" /> inside <httpEndpoint>. I was under impression that it would automatically pick up the olny one <ssl> element I defined in server.xml. But without the sslOptionRef, client authentication somehow doesn't work and does not authenticate the client.

Now with <sslOptionRef> defined in server.xml, the client authentication is working fine that I can only access the WLP app server via my web server in my browser in https.