(v12.0.8874.35714 started 2024-04-18 18:00:37 on VM2)
Alternative (or Additional) Authentication
Prerequisite: - At the client the keyword SSLTARGET and at the server the keyword SSL must be defined. Implementation: - After setup of the TLS session the server sends a 64 character hex string (32 bytes) as challenge (hash). - The client signs the hash and returns it (the signature) to the server with the public key. - Note: The client awaits the challenge after all SSLTARGET and CONNECT keywords have been processed. - The server checks if the public key is authorized (defined in "K_" groups, see below) and verifies the signature.
There are two options:
1) Usage of certificates:
The server routing entry has following configuration: - Keyword CCR2:EmailAddresses ... EmailAddresses has the same format as used for keyword CCR - Optional keywords: -- ISS2 (Same format as keyword ISS) -- ROO2 (Same format as keyword ROO) -- RVM2:X509RevocationMode ... specifies type of CRL checking, valid values: NoCheck, Offline, Online (default)
The corresponding client routing entry has an additional client certificate: - Keyword SSLCC2:clientcert[/parameter] ... certificate to sign the received challenge, same format as with keyword SSLCC
2) Usage of se.SAM crypto processor from sematicon AG:
The server routing entry has following configuration: - Keyword CCR2:sesam:groups ... list of groups separated by | -- These groups are special groups or refer to special groups (names must start with "K_") for se.SAM public key to email mapping. -- Each entry of these special groups must have following format: pseudoEmail:publickey ---- pseudoEmail ... email address to use for access control, inserted into field "Email within SSL client certificate" ---- publickey ... 128 character hex string (64 byte) for authentication of the client -------- "se.SAM" will be inserted into field "Issuer of SSL client certificate" -- CCR2:sesam is not supported with .NET Framework versions lower than 4.8! Note: "K_" groups can be used also with other keywords where a list of email addresses is required such as CCR.
The corresponding client routing entry needs information how to access se.SAM (virtual com port via USB): - Keyword SSLCC2:sesam:comx!pin!slot ... to sign the received challenge using se.SAM -- comx ... serial port of se.SAM, e.g. com4 (on Windows) or /dev/ttyACM0 (on Linux) -- pin ... PIN to access se.SAM: ---- If PIN is empty: No PIN is used to access se.SAM ---- If PIN has 4 to 16 digits: This PIN will be used to access se.SAM ---- Else (e.g. 0): PIN must be entered during manual start of autologon. If no PIN is entered an error will occur. ------ If PIN starts with the letter P the this is an entry to the PIN list (e.g. P01): --------If such a PIN is used for an autologon entry, an entry in the PIN list will be created and the PIN entered via web interface will be stored. ------- Then it can be used by other routing entries. -- slot ... slot of se.SAM to be used (one digit) -- Example: SSLCC2:sesam:com4!1234321!0
Remark: For the keyword SSLCC2 a group (name of the group must start with "S_", the group must contain the parameters) can be used as parameter, e.g. SSLCC2:S_clientCert The function "CCR2:sesam:" needs the object SerialPort to access the se.SAM crypto processor. The special installation requirements for ApplicGate built with .NET 6.0 (or higher) can be found here.
