3.2.3. Procedure – Transferring certificate information in one-sided HTTPS

Purpose: 

Client authentication in HTTPS is sometimes based on inspecting the certificate of the client. When PNS is protecting the server, keybridging can be used to transfer the information from the client certificate to the server. However, in one-sided TLS connections (for example, if the communication between PNS and the server is not encrypted), the server does not receive a TLS certificate, therefore user authentication must use another method. A simple solution to this problem is as follows:

PNS requests a certificate from the client the usual way, extracts the required information from the client certificate, then inserts this information into an HTTP header. The server then authenticates the user based on the information received in the HTTP header. To accomplish this, create a special HttpProxy using the Class editor.

Steps: 

  1. Navigate to the Application-level Gateway MC component, and click on the Class editor icon in the menu bar.

  2. Click New, then select the General tab.

  3. Enter a name for the class (for example, HttpsCertProxy).

  4. Select Parent class > OnesidedHttpsProxy.

  5. Select Class type > proxy.

  6. Type or paste the following Python code. Based on these settings, the header of the proxy class will be generated automatically into the Source code field. You have to type the remaining part manually, or paste it from this document.

    Warning

    The source code has to confirm to the syntax requirements of the Python language. Handle indentation with great care, since in Python indentation forms the blocks of code that are on the same level (many other languages use brackets for this purpose, for example, C uses curly brackets).

    Python:

    def config(self):
        OnesidedHttpsProxy.config(self)
            self.request_header["X-User-Certificate"]=\
            (HTTP_HDR_INSERT, self.tls.client_peer_certificate.subject)
  7. Click OK and Close.

  8. Create a service that will use this new proxy (for example, HttpsCertProxy), or modify an existing one.