SSLCLCERT and SSLCLCERTR (JANUS DEFINE parameters): Difference between revisions

From m204wiki
Jump to navigation Jump to search
(Automatically generated page update)
mNo edit summary
Line 13: Line 13:
<ul>
<ul>
<li>The connection should be closed with no further processing (and "MSIR.0646: Error requesting client certificate - client did not have required certificate" is journaled).  
<li>The connection should be closed with no further processing (and "MSIR.0646: Error requesting client certificate - client did not have required certificate" is journaled).  
<li>Processing continues to run the <var>[[SSLNOCERTERR]]</var> exception handler, if this is a <var>[[JANUS DEFINE#type|WEBSERV]]</var> port and an <var>ON SSLNOCERTERR</var> clause is part of the port definition.  
<li>Processing continues to run the <var>[[JANUS WEB exception rules#sslnocerterr|SSLNOCERTERR]]</var> exception handler, if this is a <var>[[JANUS DEFINE#type|WEBSERV]]</var> port and an <var>ON SSLNOCERTERR</var> clause is part of the port definition.  
</ul>
</ul>
</ul>
</ul>
Line 23: Line 23:
Client certificate information can be used to perform trusted logins in <var>[[NEWSESCMD (JANUS DEFINE parameter)|NEWSESCMD]]</var> programs.
Client certificate information can be used to perform trusted logins in <var>[[NEWSESCMD (JANUS DEFINE parameter)|NEWSESCMD]]</var> programs.


The following example shows a web server SSL port definition that specifies the <var>SSLCLCERTR</var> parameter, JANUS ADDCA commands that are needed to store CA-signed certificates to authenticate the client certificate, and a rule that specifies the <var>[[ONSSLCERTERR]]</var> exception handler for cases where the client does not present a certificate:
The following example shows a web server SSL port definition that specifies the <var>SSLCLCERTR</var> parameter, JANUS ADDCA commands that are needed to store CA-signed certificates to authenticate the client certificate, and a rule that specifies the <var>SSLNOCERTERR</var> exception handler for cases where the client does not present a certificate:


<p class="code">JANUS DEFINE CLCERTWEB 9733 WEBSERV 10 HTTPVERSION 1.1 -
<p class="code">JANUS DEFINE CLCERTWEB 9733 WEBSERV 10 HTTPVERSION 1.1 -

Revision as of 22:50, 7 July 2014

Request certificate from client

SSLCLCERT and SSLCLCERTR are parameters on JANUS DEFINE, which define and sets characteristics of a Janus port.

These parameters specify that an SSL server port will request an SSL certificate from the client. An SSL port is a Janus port whose definition includes an SSL parameter, which indicates that communications on this port may be encrypted using Janus Network Security SSL (Secure Sockets Layer) or TLS (Transport Layer Security) support.

If the client does not present a certificate when requested:

  • SSLCLCERT specifies that normal processing should continue.
  • SSLCLCERTR specifies either of the following:
    • The connection should be closed with no further processing (and "MSIR.0646: Error requesting client certificate - client did not have required certificate" is journaled).
    • Processing continues to run the SSLNOCERTERR exception handler, if this is a WEBSERV port and an ON SSLNOCERTERR clause is part of the port definition.

To verify a certificate that is passed by a client, you must first have added to the port one or more CA-signed certificates by using the JANUS ADDCA command.

When a client presents a certificate, that certificate is available to User Language code via $Web_Cert_Levels and $Web_Cert_Info on WEBSERV ports, and it is available via $Sock_Cert_Levels and $Sock_Cert_Info on SRVSOCK ports.

Client certificate information can be used to perform trusted logins in NEWSESCMD programs.

The following example shows a web server SSL port definition that specifies the SSLCLCERTR parameter, JANUS ADDCA commands that are needed to store CA-signed certificates to authenticate the client certificate, and a rule that specifies the SSLNOCERTERR exception handler for cases where the client does not present a certificate:

JANUS DEFINE CLCERTWEB 9733 WEBSERV 10 HTTPVERSION 1.1 - SSL JANSSL TM2008.PKEY SSLCLCERTR JANUS ADDCA CLCERTWEB MYPROC SECURESE.CERT JANUS ADDCA CLCERTWEB MYPROC THAWTE.CERT JANUS ADDCA CLCERTWEB MYPROC VERIJUNK.CERT JANUS WEB CLCERTWEB ON SSLNOCERTERR OPEN FILE MYPROC - CMD 'INCLUDE MISSING_CERTIFICATE_ERROR'

SSLCLCERT and SSLCLCERTR are valid for SRVSOCK, WEBSERV, OPENSERV, and SDS port types.

See also