(v12.0.9187.36022 started 2025-02-25 19:06:27 on VM2)
Alternative (or Additional) Authentication
Prerequisite: - At the client the keyword SSLTARGET and at the server the keyword SSL must be defined. Implementation: - After setup of the TLS session the server sends a 64 character hex string (32 bytes) as challenge (hash). - The client signs the hash and returns it (the signature) to the server with the certificate or the public key (se.SAM). - Note: The client awaits the challenge after all SSLTARGET and CONNECT keywords have been processed. - The server checks if the certificate is valid or the public key is defined (se,SAM), verifies the signature and checks the email address.
There are two options:
1) Usage of certificates:
The server routing entry has following configuration: - Keyword CCR2:EmailAddresses ... EmailAddresses has the same format as used for keyword CCR - Optional keywords: -- ISS2 (Same format as keyword ISS) -- ROO2 (Same format as keyword ROO) -- RVM2:X509RevocationMode ... specifies type of CRL checking, valid values: NoCheck, Offline, Online (default)
The corresponding client routing entry has an additional client certificate: - Keyword SSLCC2:clientcert[/parameter] ... certificate to sign the received challenge, same format as with keyword SSLCC
2) Usage of se.SAM Crypto Module from sematicon AG:
The server routing entry has following configuration: - Keyword CCR2:sesam:EmailAddresses ... list of groups, email addreses etc. separated by |
The public key transmitted from the client must be mapped to an email address. Step 1: Map via Userlist - The Userlist (OTPlist.csv) will be searched for a matching se.SAM public key. - if there is no match: Step 2: Map via "K_" groups - EmailAddresses ... must contain names of special groups where their names start with "K_". - Each entry of these special groups must have following format: pseudoEmail:publickey -- pseudoEmail ... email address to use for access control, inserted into field "Email within SSL client certificate" -- publicKey ... 128 character hex string (64 byte) for authentication of the client Note: "K_" groups can be used also with other keywords where a list of email addresses is required such as CCR.
"se.SAM" will be inserted into field "Issuer of SSL client certificate"
The corresponding client routing entry needs information how to access se.SAM (virtual com port via USB): - Keyword SSLCC2:sesam:comx!pin!slot ... to sign the received challenge using se.SAM -- comx ... serial port of se.SAM, e.g. com4 (on Windows) or /dev/ttyACM0 (on Linux) -- pin ... PIN to access se.SAM: ---- If PIN is empty: No PIN is used to access se.SAM ---- If PIN has 4 to 16 digits: This PIN will be used to access se.SAM ---- Else (e.g. 0): PIN must be entered during manual start of autologon. If no PIN is entered an error will occur. ------ If PIN starts with the letter P the this is an entry to the PIN list (e.g. P01): --------If such a PIN is used for an autologon entry, an entry in the PIN list will be created and the PIN entered via web interface will be stored. ------- Then it can be used by other routing entries. -- slot ... slot of se.SAM to be used (one digit) -- Example: SSLCC2:sesam:com4!1234321!0
Remark: For the keyword SSLCC2 a group (name of the group must start with "S_", the group must contain the parameters) can be used as parameter, e.g. SSLCC2:S_clientCert The function "CCR2:sesam:" needs the object SerialPort to access the se.SAM crypto processor. The special installation requirements for ApplicGate built with .NET 8.0 (or higher) can be found here.
