3.2.3. Procedure – Transferring certificate information in one-sided HTTPS
Purpose:
Client authentication in HTTPS is sometimes based on inspecting the certificate of the client. When PNS is protecting the server, keybridging can be used to transfer the information from the client certificate to the server. However, in one-sided TLS connections (for example, if the communication between PNS and the server is not encrypted), the server does not receive a TLS certificate, therefore user authentication must use another method. A simple solution to this problem is as follows:
PNS requests a certificate from the client the usual way, extracts the required information from the client certificate, then inserts this information into an HTTP header. The server then authenticates the user based on the information received in the HTTP header. To accomplish this, create a special HttpProxy using the .
Steps:
Navigate to the MC component, and click on the icon in the menu bar.
Click
, then select the tab.Enter a name for the class (for example,
HttpsCertProxy
).Select
.Select
.Type or paste the following Python code. Based on these settings, the header of the proxy class will be generated automatically into the
field. You have to type the remaining part manually, or paste it from this document.Warning The source code has to confirm to the syntax requirements of the Python language. Handle indentation with great care, since in Python indentation forms the blocks of code that are on the same level (many other languages use brackets for this purpose, for example, C uses curly brackets).
Python:
def config(self): OnesidedHttpsProxy.config(self) self.request_header["X-User-Certificate"]=\ (HTTP_HDR_INSERT, self.tls.client_peer_certificate.subject)
Click
and .Create a service that will use this new proxy (for example,
HttpsCertProxy
), or modify an existing one.
© 2021 BalaSys IT Security.
Send your comments to support@balasys.hu