SSLCLCERT and SSLCLCERTR (JANUS DEFINE parameters): Difference between revisions
m (1 revision) |
m (add displaytitle) |
||
(29 intermediate revisions by 5 users not shown) | |||
Line 1: | Line 1: | ||
{{DISPLAYTITLE:SSLCLCERT and SSLCLCERTR}} | {{DISPLAYTITLE: SSLCLCERT and SSLCLCERTR}} | ||
<span class="pageSubtitle"> | <span class="pageSubtitle">Request certificate from client</span> | ||
SSLCLCERT and SSLCLCERTR are parameters on [[JANUS DEFINE]], | <var>SSLCLCERT</var> and <var>SSLCLCERTR</var> are parameters on <var>[[JANUS DEFINE]]</var>, which define and sets characteristics of a Janus port. | ||
These parameters specify that an SSL server port will request an SSL certificate from the client. An SSL port is a Janus port whose definition includes an <var>[[SSL (JANUS DEFINE parameter)|SSL]]</var> parameter, which indicates that communications on this port may be encrypted using <var class="product">[[Janus Network Security]]</var> SSL (Secure Sockets Layer) or TLS (Transport Layer Security) support. | |||
These parameters specify that an SSL server port will request an SSL certificate from the client. An SSL port is a Janus port whose definition includes an SSL parameter | |||
If the client does '''not''' present a certificate when requested: | If the client does '''not''' present a certificate when requested: | ||
<ul> | <ul> | ||
<li><var>SSLCLCERT</var> specifies that normal processing should continue. | |||
<li><var>SSLCLCERTR</var> specifies either of the following: | |||
<ul> | <ul> | ||
<li>The connection should be closed with no further processing (and "MSIR.0646: Error requesting client certificate - client did not have required certificate" is journaled). | <li>The connection should be closed with no further processing (and "MSIR.0646: Error requesting client certificate - client did not have required certificate" is journaled). | ||
<li>Processing continues to run the SSLNOCERTERR exception handler, if this is a WEBSERV port and an ON SSLNOCERTERR clause is part of the port definition | <li>Processing continues to run the <var>[[JANUS WEB exception rules#sslnocerterr|SSLNOCERTERR]]</var> exception handler, if this is a <var>[[JANUS DEFINE#type|WEBSERV]]</var> port and an <var>ON SSLNOCERTERR</var> clause is part of the port definition. | ||
</ul> | </ul> | ||
</ul> | </ul> | ||
To verify a certificate that is passed by a client, you must first have added to the port one or more CA-signed certificates by using the <var>[[JANUS ADDCA]]</var> command. | |||
When a client presents a certificate, that certificate is available to <var class="product">SOUL</var> code via <var>[[$Web_Cert_Levels]]</var> and <var>[[$Web_Cert_Info]]</var> on <var>WEBSERV</var> ports, and it is available via <var>[[$Sock_Cert_Levels]]</var> and <var>[[$Sock_Cert_Info]]</var> on <var>[[JANUS DEFINE#type|SRVSOCK]]</var> ports. | |||
When a client presents a certificate, that certificate is available to | |||
Client certificate information can be used to perform trusted logins in NEWSESCMD | Client certificate information can be used to perform trusted logins in <var>[[NEWSESCMD (JANUS DEFINE parameter)|NEWSESCMD]]</var> programs. | ||
The following example shows a web server SSL port definition that specifies the <var>SSLCLCERTR</var> parameter, <var>[[JANUS ADDCA]]</var> commands that are needed to store CA-signed certificates to authenticate the client certificate, and a rule that specifies the <var>SSLNOCERTERR</var> exception handler for cases where the client does not present a certificate: | |||
<p class="code">JANUS DEFINE CLCERTWEB 9733 WEBSERV 10 HTTPVERSION 1.1 - | |||
<p class="code"> JANUS DEFINE CLCERTWEB 9733 WEBSERV 10 HTTPVERSION 1.1 - | SSL JANSSL TM2008.PKEY SSLCLCERTR | ||
JANUS ADDCA CLCERTWEB MYPROC SECURESE.CERT | |||
JANUS ADDCA CLCERTWEB MYPROC THAWTE.CERT | |||
JANUS ADDCA CLCERTWEB MYPROC VERIJUNK.CERT | |||
JANUS WEB CLCERTWEB ON SSLNOCERTERR OPEN FILE MYPROC - | |||
CMD 'INCLUDE MISSING_CERTIFICATE_ERROR' | |||
</p> | </p> | ||
<var>SSLCLCERT</var> and <var>SSLCLCERTR</var> are valid for <var>[[JANUS DEFINE#type|SRVSOCK]]</var>, <var>[[JANUS DEFINE#type|WEBSERV]]</var>, <var>[[JANUS DEFINE#type|OPENSERV]]</var>, and <var>[[JANUS DEFINE#type|SDS]]</var> port types. | |||
==See also== | |||
<ul> | |||
<li>[[List of Janus commands]] | |||
<li>[[JANUS DEFINE#parmlist|List of JANUS DEFINE parameters]] | |||
</ul> | |||
== | |||
[[Category:JANUS DEFINE parameters|SSLCLCERT and SSLCLCERTR]] | [[Category:JANUS DEFINE parameters|SSLCLCERT and SSLCLCERTR]] |
Latest revision as of 23:36, 7 June 2016
Request certificate from client
SSLCLCERT and SSLCLCERTR are parameters on JANUS DEFINE, which define and sets characteristics of a Janus port.
These parameters specify that an SSL server port will request an SSL certificate from the client. An SSL port is a Janus port whose definition includes an SSL parameter, which indicates that communications on this port may be encrypted using Janus Network Security SSL (Secure Sockets Layer) or TLS (Transport Layer Security) support.
If the client does not present a certificate when requested:
- SSLCLCERT specifies that normal processing should continue.
- SSLCLCERTR specifies either of the following:
- The connection should be closed with no further processing (and "MSIR.0646: Error requesting client certificate - client did not have required certificate" is journaled).
- Processing continues to run the SSLNOCERTERR exception handler, if this is a WEBSERV port and an ON SSLNOCERTERR clause is part of the port definition.
To verify a certificate that is passed by a client, you must first have added to the port one or more CA-signed certificates by using the JANUS ADDCA command.
When a client presents a certificate, that certificate is available to SOUL code via $Web_Cert_Levels and $Web_Cert_Info on WEBSERV ports, and it is available via $Sock_Cert_Levels and $Sock_Cert_Info on SRVSOCK ports.
Client certificate information can be used to perform trusted logins in NEWSESCMD programs.
The following example shows a web server SSL port definition that specifies the SSLCLCERTR parameter, JANUS ADDCA commands that are needed to store CA-signed certificates to authenticate the client certificate, and a rule that specifies the SSLNOCERTERR exception handler for cases where the client does not present a certificate:
JANUS DEFINE CLCERTWEB 9733 WEBSERV 10 HTTPVERSION 1.1 - SSL JANSSL TM2008.PKEY SSLCLCERTR JANUS ADDCA CLCERTWEB MYPROC SECURESE.CERT JANUS ADDCA CLCERTWEB MYPROC THAWTE.CERT JANUS ADDCA CLCERTWEB MYPROC VERIJUNK.CERT JANUS WEB CLCERTWEB ON SSLNOCERTERR OPEN FILE MYPROC - CMD 'INCLUDE MISSING_CERTIFICATE_ERROR'
SSLCLCERT and SSLCLCERTR are valid for SRVSOCK, WEBSERV, OPENSERV, and SDS port types.