[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Handle-info] Administrative client authentication using client certificates

Ok.  In general, you won't need renegotiate="true".  That's only needed if you want to use a different client certificate.  For renegotiating to use a client certificate at all, clientCert="true" suffices.

In order for your browser to get the client certificate, you can't add the Authorization header to the call to https://<ip address>:8000/admin/.  You need to add it to calls to https://<ip address>:8000/api/<etc>... possibly to all of them.  This would probably necessitate changes to the JavaScript code.  You may be able to just add the header to one call (maybe https://<ip address>:8000/api/site) and it might work automatically on all the calls... but I'm not sure.

An alternative is to change the server configuration so that it asks for the client certificate proactively, instead of requiring the client-side Authorization header as a prompt to renegotiate.  This would be in config.dct:

{
  "hdl_http_config" = {
    ...
    "https_client_auth" = "want"
  }

Here "want" indicates that the server will prompt for a client certificate on all HTTPS connections.  Connections will still succeed if no certificate is given, though.  If you set it to "need", connections will require a client certificate.

Remember to restart your server after making the change.

The prompting can be intrusive when the user doesn't want to use a client certificate, which is why it is off by default.  However, you might find it works well for what you are doing.

Robert

> On Mar 24, 2020, at 2:02 PM, Weng, Franziska <fweng@geomar.de> wrote:
> 
> Hi Robert,
> 
> Thank you for the quick response.
> 
> I used this curl request to check if the certificate works: curl --cert-type P12 --cert my_cert.p12:<password> -H 'Authorization: Handle clientCert="true", renegotiate="true"' 'https://<ip address>:8000/api/handles?prefix=<prefix>'
> 
> Firefox (Version 74.0): I imported the previously used .p12 file into the browser and went to the administrative client (Version 0.9.4 beta) https://<ip address>:8000/admin/. But even when I clicked the "Authenticate" button, my client certificate was not requested. I opened Web Developer Tools, Network Analysis, again requested the website, cliecked on HTML and Header, added Authorization: Handle clientCert="true", renegotiate="true" to the header and resent the website request. I also changed the setting, that firefox should ask me, when using certificates, but it doesn't ask me.
> 
> Chrome (Version 80.0.3987.149) and Safari (Version 13.0.5): I imported the .p12 file into my key chain, changed the setting to always trust this certificate and added the setting, that this certificate is required by https://<ip address>:8000/admin/. In Chrome, I set most of the settings for the website to permit. Also here, I don't get authenticated when I go to the website of the administrative client and I also don't get authenticated, when I click the Authenticate button.
> 
> I can check the subject information of the .pem I used to create the .p12: openssl x509 -in my_cert.pem -text -noout -nameopt RFC2253. Subject: UID=<index>:<prefix>/<suffix>,CN=...,O=...,C=... Using 'openssl pkcs12 -in my_cert.p12 -info' the subject is /C=.../O=.../CN=.../UID=<index>:<prefix>/<suffix>.
> 
> I hope this information is helpful.
> 
> Best regards,
> 
> Franziska
> 
> Am 24.03.20 um 17:25 schrieb Robert R Tupelo-Schneck:
>> Is this correct: you use curl with header Authorization: Handle clientCert="true" and it correctly uses your client certificate?  But you can't get the browser client to use your client certificate?
>> 
>> Show me the code that changed in the browser code in order to try this.
>> 
>> Robert
>> 
>>> On Mar 24, 2020, at 12:07 PM, Weng, Franziska <fweng@geomar.de> wrote:
>>> 
>>> Hi,
>>> 
>>> we would like to authenticate in the browser-based administrative client using client certificates.
>>> 
>>> I made sure my client certificate works by requesting the server to list all handles using curl. But neither the browser-based administrative client nor the REST API seem to request the client certificate which I have loaded into my browser, even when I add Authorization: Handle clientCert="true", renegotiate="true" to the HTTP header. Is there a way, I can make authentication in the browser-based administrative client using client certificates work?
>>> 
>>> Best regards
>>> 
>>> Franziska
>>> 
>>> -- 
>>> Franziska Weng
>>> Information, Data and Computing Centre
>>> GEOMAR
>>> Helmholtz Centre for Ocean Research Kiel
>>> Wischhofstr. 1-3
>>> D-24148 Kiel, Germany
>>> 
>>> Room: 01/111 (Entrance 2)
>>> Tel: +49 (0)431 / 600-2173
>>> E-Mail: fweng@geomar.de
>>> https://www.geomar.de
>>> 
>>> 
>>> _______________________________________________
>>> Handle-Info mailing list
>>> Handle-Info@cnri.reston.va.us
>>> http://www.handle.net/mailman/listinfo/handle-info
> 
> -- 
> Franziska Weng
> Information, Data and Computing Centre
> GEOMAR
> Helmholtz Centre for Ocean Research Kiel
> Wischhofstr. 1-3
> D-24148 Kiel, Germany
> 
> Room: 01/111 (Entrance 2)
> Tel: +49 (0)431 / 600-2173
> E-Mail: fweng@geomar.de
> https://www.geomar.de
> 
> 

_______________________________________________
Handle-Info mailing list
Handle-Info@cnri.reston.va.us
http://www.handle.net/mailman/listinfo/handle-info