SSLCLCERT and SSLCLCERTR (JANUS DEFINE parameters): Difference between revisions

From m204wiki
Jump to navigation Jump to search
m (1 revision)
m (add displaytitle)
 
(3 intermediate revisions by 3 users not shown)
Line 1: Line 1:
<span class="pageSubtitle"><section begin="desc" />Request certificate from client<section end="desc" /></span>
{{DISPLAYTITLE: SSLCLCERT and SSLCLCERTR}}
<span class="pageSubtitle">Request certificate from client</span>


<var>SSLCLCERT</var> and <var>SSLCLCERTR</var> are parameters on <var>[[JANUS DEFINE]]</var>, which define and sets characteristics of a Janus port.  
<var>SSLCLCERT</var> and <var>SSLCLCERTR</var> are parameters on <var>[[JANUS DEFINE]]</var>, which define and sets characteristics of a Janus port.  


These parameters specify that an SSL server port will request an SSL certificate from the client. An SSL port is a Janus port whose definition includes an <var>[[SSL (JANUS DEFINE parameter)|SSL]]</var> parameter, which indicates that communications on this port may be encrypted using <var class="product">[http://sirius-software.com/maint/download/jansslr.pdf Janus Network Security]</var> SSL (Secure Sockets Layer) or TLS (Transport Layer Security) support.  
These parameters specify that an SSL server port will request an SSL certificate from the client. An SSL port is a Janus port whose definition includes an <var>[[SSL (JANUS DEFINE parameter)|SSL]]</var> parameter, which indicates that communications on this port may be encrypted using <var class="product">[[Janus Network Security]]</var> SSL (Secure Sockets Layer) or TLS (Transport Layer Security) support.  


If the client does '''not''' present a certificate when requested:
If the client does '''not''' present a certificate when requested:
<ul>
<ul>
<li><var>SSLCLCERT</var> specifies that normal processing should continue.  
<li><var>SSLCLCERT</var> specifies that normal processing should continue.  
<li><var>SSLCLCERTR</var> specifies either of the following:
<li><var>SSLCLCERTR</var> specifies either of the following:


<ul>
<ul>
<li>The connection should be closed with no further processing (and "MSIR.0646: Error requesting client certificate - client did not have required certificate" is journaled).  
<li>The connection should be closed with no further processing (and "MSIR.0646: Error requesting client certificate - client did not have required certificate" is journaled).  
<li>Processing continues to run the <var>[[SSLNOCERTERR]]</var> exception handler, if this is a <var>[[JANUS DEFINE#type|WEBSERV]]</var> port and an <var>ON SSLNOCERTERR</var> clause is part of the port definition.  
<li>Processing continues to run the <var>[[JANUS WEB exception rules#sslnocerterr|SSLNOCERTERR]]</var> exception handler, if this is a <var>[[JANUS DEFINE#type|WEBSERV]]</var> port and an <var>ON SSLNOCERTERR</var> clause is part of the port definition.  
</ul>
</ul>
</ul>
</ul>
Line 19: Line 20:
To verify a certificate that is passed by a client, you must first have added to the port one or more CA-signed certificates by using the <var>[[JANUS ADDCA]]</var> command.
To verify a certificate that is passed by a client, you must first have added to the port one or more CA-signed certificates by using the <var>[[JANUS ADDCA]]</var> command.


When a client presents a certificate, that certificate is available to <var class="product">User Language</var> code via <var>[[$Web_Cert_Levels]]</var> and <var>[[$Web_Cert_Info]]</var> on <var>WEBSERV</var> ports, and it is available via <var>[[$Sock_Cert_Levels]]</var> and <var>[[$Sock_Cert_Info]]</var> on <var>[[JANUS DEFINE#type|SRVSOCK]]</var> ports.  
When a client presents a certificate, that certificate is available to <var class="product">SOUL</var> code via <var>[[$Web_Cert_Levels]]</var> and <var>[[$Web_Cert_Info]]</var> on <var>WEBSERV</var> ports, and it is available via <var>[[$Sock_Cert_Levels]]</var> and <var>[[$Sock_Cert_Info]]</var> on <var>[[JANUS DEFINE#type|SRVSOCK]]</var> ports.  


Client certificate information can be used to perform trusted logins in <var>[[NEWSESCMD (JANUS DEFINE parameter)|NEWSESCMD]]</var> programs.
Client certificate information can be used to perform trusted logins in <var>[[NEWSESCMD (JANUS DEFINE parameter)|NEWSESCMD]]</var> programs.


The following example shows a web server SSL port definition that specifies the <var>SSLCLCERTR</var> parameter, JANUS ADDCA commands that are needed to store CA-signed certificates to authenticate the client certificate, and a rule that specifies the ONSSLCERTERR exception handler for cases where the client does not present a certificate:
The following example shows a web server SSL port definition that specifies the <var>SSLCLCERTR</var> parameter, <var>[[JANUS ADDCA]]</var> commands that are needed to store CA-signed certificates to authenticate the client certificate, and a rule that specifies the <var>SSLNOCERTERR</var> exception handler for cases where the client does not present a certificate:


<p class="code">JANUS DEFINE CLCERTWEB 9733 WEBSERV 10 HTTPVERSION 1.1 -
<p class="code">JANUS DEFINE CLCERTWEB 9733 WEBSERV 10 HTTPVERSION 1.1 -

Latest revision as of 23:36, 7 June 2016

Request certificate from client

SSLCLCERT and SSLCLCERTR are parameters on JANUS DEFINE, which define and sets characteristics of a Janus port.

These parameters specify that an SSL server port will request an SSL certificate from the client. An SSL port is a Janus port whose definition includes an SSL parameter, which indicates that communications on this port may be encrypted using Janus Network Security SSL (Secure Sockets Layer) or TLS (Transport Layer Security) support.

If the client does not present a certificate when requested:

  • SSLCLCERT specifies that normal processing should continue.
  • SSLCLCERTR specifies either of the following:
    • The connection should be closed with no further processing (and "MSIR.0646: Error requesting client certificate - client did not have required certificate" is journaled).
    • Processing continues to run the SSLNOCERTERR exception handler, if this is a WEBSERV port and an ON SSLNOCERTERR clause is part of the port definition.

To verify a certificate that is passed by a client, you must first have added to the port one or more CA-signed certificates by using the JANUS ADDCA command.

When a client presents a certificate, that certificate is available to SOUL code via $Web_Cert_Levels and $Web_Cert_Info on WEBSERV ports, and it is available via $Sock_Cert_Levels and $Sock_Cert_Info on SRVSOCK ports.

Client certificate information can be used to perform trusted logins in NEWSESCMD programs.

The following example shows a web server SSL port definition that specifies the SSLCLCERTR parameter, JANUS ADDCA commands that are needed to store CA-signed certificates to authenticate the client certificate, and a rule that specifies the SSLNOCERTERR exception handler for cases where the client does not present a certificate:

JANUS DEFINE CLCERTWEB 9733 WEBSERV 10 HTTPVERSION 1.1 - SSL JANSSL TM2008.PKEY SSLCLCERTR JANUS ADDCA CLCERTWEB MYPROC SECURESE.CERT JANUS ADDCA CLCERTWEB MYPROC THAWTE.CERT JANUS ADDCA CLCERTWEB MYPROC VERIJUNK.CERT JANUS WEB CLCERTWEB ON SSLNOCERTERR OPEN FILE MYPROC - CMD 'INCLUDE MISSING_CERTIFICATE_ERROR'

SSLCLCERT and SSLCLCERTR are valid for SRVSOCK, WEBSERV, OPENSERV, and SDS port types.

See also