3.2.3. Procedure – Transferring certificate information in one-sided HTTPS
Purpose:
Client authentication in HTTPS is sometimes based on inspecting the certificate of the client. When PNS is protecting the server, keybridging can be used to transfer the information from the client certificate to the server. However, in one-sided SSL connections (for example, if the communication between PNS and the server is not encrypted), the server does not receive an SSL certificate, therefore user authentication must use another method. A simple solution to this problem is the following.
PNS requests a certificate from the client the usual way, extracts the required information from the client certificate, then inserts this information into an HTTP header. The server then authenticates the user based on the information received in the HTTP header. To accomplish this, you must create a special HttpProxy using the .
Steps:
Navigate to the MC component, and click on the icon in the menu bar.
Click , then select the tab.
Enter a name for the class (for example,
HttpsCertProxy).Select .
Select .
Type or paste the following Python code. Based on these settings, the header of the proxy class will be generated automatically into the field. You have to type the remaining part manually, or paste it from this document.
Warning The source code has to confirm to the syntax requirements of the Python language. Handle indentation with great care, since in Python indentation forms the blocks of code that are on the same level (many other languages use brackets for this purpose, for example, C uses curly brackets).
Python:
def config(self): OnesidedHttpsProxy.config(self) self.request_header["X-User-Certificate"]=\ (HTTP_HDR_INSERT, self.tls.client_peer_certificate.subject)Click and .
Create a service that will use this new proxy (for example,
HttpsCertProxy), or modify an existing one.
Published on June 04, 2020
© 2007-2019 BalaSys
Send your comments to support@balasys.hu
