ApplicGate
(v12.0.9111.30500 started 2024-12-11 16:09:49 on VM2)

Alternative (or Additional) Authentication

Prerequisite:
- At the client the keyword SSLTARGET and at the server the keyword SSL must be defined.
Implementation:
- After setup of the TLS session the server sends a 64 character hex string (32 bytes) as challenge (hash).
- The client signs the hash and returns it (the signature) to the server with the public key.
- Note: The client awaits the challenge after all SSLTARGET and CONNECT keywords have been processed.
- The server checks if the public key is authorized (defined in "K_" groups, see below) and verifies the signature.

There are two options:


1) Usage of certificates:

The server routing entry has following configuration:
- Keyword CCR2:EmailAddresses ... EmailAddresses has the same format as used for keyword CCR
- Optional keywords:
-- ISS2 (Same format as keyword ISS)
-- ROO2 (Same format as keyword ROO)
-- RVM2:X509RevocationMode ... specifies type of CRL checking, valid values: NoCheck, Offline, Online (default)

The corresponding client routing entry has an additional client certificate:
- Keyword SSLCC2:clientcert[/parameter] ... certificate to sign the received challenge, same format as with keyword SSLCC


2) Usage of se.SAM crypto processor from sematicon AG:

The server routing entry has following configuration:
- Keyword CCR2:sesam:groups ... list of groups separated by |
-- These groups are special groups or refer to special groups (names must start with "K_") for se.SAM public key to email mapping.
-- Each entry of these special groups must have following format: pseudoEmail:publickey
---- pseudoEmail ... email address to use for access control, inserted into field "Email within SSL client certificate"
---- publickey ... 128 character hex string (64 byte) for authentication of the client
-------- "se.SAM" will be inserted into field "Issuer of SSL client certificate"
Note: "K_" groups can be used also with other keywords where a list of email addresses is required such as CCR.

The corresponding client routing entry needs information how to access se.SAM (virtual com port via USB):
- Keyword SSLCC2:sesam:comx!pin!slot ... to sign the received challenge using se.SAM
-- comx ... serial port of se.SAM, e.g. com4 (on Windows) or /dev/ttyACM0 (on Linux)
-- pin ... PIN to access se.SAM:
---- If PIN is empty: No PIN is used to access se.SAM
---- If PIN has 4 to 16 digits: This PIN will be used to access se.SAM
---- Else (e.g. 0): PIN must be entered during manual start of autologon. If no PIN is entered an error will occur.
------ If PIN starts with the letter P the this is an entry to the PIN list (e.g. P01):
--------If such a PIN is used for an autologon entry, an entry in the PIN list will be created and the PIN entered via web interface will be stored.
------- Then it can be used by other routing entries.
-- slot ... slot of se.SAM to be used (one digit)
-- Example: SSLCC2:sesam:com4!1234321!0


Remark:
For the keyword SSLCC2 a group (name of the group must start with "S_", the group must contain the parameters) can be used as parameter, e.g. SSLCC2:S_clientCert
The function "CCR2:sesam:" needs the object SerialPort to access the se.SAM crypto processor.
The special installation requirements for ApplicGate built with .NET 8.0 (or higher) can be found here.

ApplicGate Logo  reinhold.leitner@applicgate.com (C) December 2024
www.applicgate.com