(v11.2.8535.40794 started 2023-05-15 20:46:16 on VM2)

Alternative (or Additional) Authentication

- At the client the keyword SSLTARGET and at the server the keyword SSL must be defined.
- After setup of the TLS session the server sends a 64 character hex string (32 bytes) as challenge (hash).
- The client signs the hash and returns it (the signature) to the server with the public key.
- Note: The client awaits the challenge after all SSLTARGET and CONNECT keywords have been processed.
- The server checks if the public key is authorized (defined in "K_" groups, see below) and verifies the signature.

There are two options:

1) Usage of certificates:

The server routing entry has following configuration:
- Keyword CCR2:EmailAddresses ... EmailAddresses has the same format as used for keyword CCR
- Optional keywords:
-- ISS2 (Same format as keyword ISS)
-- ROO2 (Same format as keyword ROO)
-- RVM2:X509RevocationMode ... specifies type of CRL checking, valid values: NoCheck, Offline, Online (default)

The corresponding client routing entry has an additional client certificate:
- Keyword SSLCC2:clientcert[/parameter] ... certificate to sign the received challenge, same format as with keyword SSLCC

2) Usage of se.SAM crypto processor from sematicon AG:

The server routing entry has following configuration:
- Keyword CCR2:sesam:groups ... list of groups separated by |
-- These groups are special groups or refer to special groups (names must start with "K_") for se.SAM public key to email mapping.
-- Each entry of these special groups must have following format: pseudoEmail:publickey
---- pseudoEmail ... email address to use for access control, inserted into field "Email within SSL client certificate"
---- publickey ... 128 character hex string (64 byte) for authentication of the client
-------- "se.SAM" will be inserted into field "Issuer of SSL client certificate"
-- CCR2:sesam is not supported with .NET Framework versions lower than 4.8!
Note: "K_" groups can be used also with other keywords where a list of email addresses is required such as CCR.

The corresponding client routing entry needs information how to access se.SAM (virtual com port via USB):
- Keyword SSLCC2:sesam:comx!pin!slot ... to sign the received challenge using se.SAM
-- comx ... serial port of se.SAM, e.g. com4 (on Windows) or /dev/ttyACM0 (on Linux)
-- pin ... PIN to access se.SAM:
---- If PIN is empty: No PIN is used to access se.SAM
---- If PIN has 4 to 16 digits: This PIN will be used to access se.SAM
---- Else (e.g. 0): PIN must be entered during manual start of autologon. If no PIN is entered an error will occur.
------ If PIN starts with the letter P the this is an entry to the PIN list (e.g. P01):
--------If such a PIN is used for an autologon entry, an entry in the PIN list will be created and the PIN entered via web interface will be stored.
------- Then it can be used by other routing entries.
-- slot ... slot of se.SAM to be used (one digit)
-- Example: SSLCC2:sesam:com4!1234321!0

For the keyword SSLCC2 a group (name of the group must start with "S_", the group must contain the parameters) can be used as parameter, e.g. SSLCC2:S_clientCert
The function "CCR2:sesam:" needs the object SerialPort to access the se.SAM crypto processor.
The special installation requirements for ApplicGate built with .NET 6.0 (or higher) can be found here.

ApplicGate Logo (C) May 2023