SSLCLCERT and SSLCLCERTR (JANUS DEFINE parameters)

From m204wiki
Revision as of 21:59, 8 March 2011 by Admin (talk | contribs) (1 revision)
Jump to navigation Jump to search

<section begin="desc" />and SSLCLCERTR<section end="desc" />

SSLCLCERT and SSLCLCERTR are parameters on JANUS DEFINE, whichs define and sets characteristics of a Janus port. See the List of JANUS DEFINE parameters.


These parameters specify that an SSL server port will request an SSL certificate from the client. An SSL port is a Janus port whose definition includes an SSL parameter (:hdref refid=ssl.) setting, which indicates that communications on this port may be encrypted using Janus Network Security SSL (Secure Sockets Layer) or TLS (Transport Layer Security) support.

If the client does not present a certificate when requested:

  • SSLCLCERT specifies that normal processing should continue.
  • SSLCLCERTR specifies either of the following:
    • The connection should be closed with no further processing (and "MSIR.0646: Error requesting client certificate - client did not have required certificate" is journaled).
    • Processing continues to run the SSLNOCERTERR exception handler, if this is a WEBSERV port and an ON SSLNOCERTERR clause is part of the port definition. For information about this exception handler, see the Janus Web Server Reference Manual, and also see the example below. :hdref refid=excptn., and also see the example below.


To verify a certificate that is passed by a client, you must first have added to the port one or more CA-signed certificates by using the JANUS ADDCA command (:hdref refid=addca.). command, which is described in the Janus TCP/IP Base Reference Manual.

When a client presents a certificate, that certificate is available to User Language code via $Web_Cert_Levels and $Web_Cert_Info on WEBSERV ports, and it is available via $SOCK_CERT_LEVELS and $SOCK_CERT_INFO on SRVSOCK ports.

Client certificate information can be used to perform trusted logins in NEWSESCMD programs (:hdref refid=newsesc.).


The following example shows a web server SSL port definition that specifies the SSLCLCERTR parameter, JANUS ADDCA commands that are needed to store CA-signed certificates to authenticate the client certificate, and a rule that specifies the ONSSLCERTERR exception handler for cases where the client does not present a certificate:

JANUS DEFINE CLCERTWEB 9733 WEBSERV 10 HTTPVERSION 1.1 - SSL JANSSL TM2008.PKEY SSLCLCERTR JANUS ADDCA CLCERTWEB MYPROC SECURESE.CERT JANUS ADDCA CLCERTWEB MYPROC THAWTE.CERT JANUS ADDCA CLCERTWEB MYPROC VERIJUNK.CERT JANUS WEB CLCERTWEB ON SSLNOCERTERR OPEN FILE MYPROC - CMD 'INCLUDE MISSING_CERTIFICATE_ERROR'


The SSLCLCERT and SSLCLCERTR parameters are only available in Version 6.0 and later of Sirius Mods.

SSLCLCERT and SSLCLCERTR are valid for SRVSOCK, &P$WBSYB port types.

SSLCLCERT and SSLCLCERTR are valid for SRVSOCK or WEBSERV port types.

References

See: List of Janus commands | List of JANUS DEFINE parameters.