Context
To enable IBM HTTP Server (IHS) to "authorise" incoming requests based upon the "identity" of the client. This goes above and beyond SSL Client ( aka Mutual ) Authentication, where a server will require a client to present a valid certificate which both parties trust.
This leverages the SSLClientAuthRequire directive in IHS
Detail
I tested this using IHS 8.5.5.8 on both Red Hat Linux and IBM AIX, using the Firefox browser in both cases.
In the case of Linux, I created a pair of self-signed personal certificates on my Mac, imported them into Firefox ( using the PKCS12 keystone format which includes my personal key ), and configured IHS to accept ONE of the TWO certificates using the Common Name (CN) attribute.
Define Self-Signed Certificates
vi davehay1.conf
[req]
default_bits = 2048
default_keyfile = davehay.key
distinguished_name = macintosh
attributes = req_attributes
prompt = no
output_password = passw0rd
[macintosh]
C = GB
ST = Hampshire
L = Winchester
O = IBM
OU = ICCTE
CN = macintosh1.uk.ibm.com
[req_attributes]
challengePassword = passw0rd
vi davehay2.conf
[req]
default_bits = 2048
default_keyfile = davehay.key
distinguished_name = macintosh
attributes = req_attributes
prompt = no
output_password = passw0rd
[macintosh]
C = GB
ST = Hampshire
L = Winchester
O = IBM
OU = ICCTE
CN = macintosh2.uk.ibm.com
[req_attributes]
challengePassword = passw0rd
Create Self-Signed Certificates
The first also generates a private key
openssl req -config davehay1.conf -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout davehay.key -out davehay1.crt
The second uses the existing private key
openssl req -config davehay2.conf -x509 -sha256 -nodes -days 365 -key davehay.key -out davehay2.crt -new
Generate PKCS12 Certificate Stores - required for import into client browser
openssl pkcs12 -export -out davehay1.p12 -inkey davehay.key -in davehay1.crt -password pass:passw0rd
openssl pkcs12 -export -out davehay2.p12 -inkey davehay.key -in davehay2.crt -password pass:passw0rd
Import PKCS12 Stores into Firefox
This is available via the Preferences -> Advanced -> Certificates -> View Certificates dialogue
Send Mac Personal Certificates to IHS
cp *.crt wasadmin@bpm856:~
wasadmin@bpm856's password:
davehay1.crt 100% 1237 1.2KB/s 00:00
davehay2.crt 100% 1237 1.2KB/s 00:00
Server Setup
Create Key/Trust store - required for IHS
/opt/IBM/HTTPServer/bin/gskcapicmd -keydb -create -db /opt/IBM/HTTPServer/ssl/keystore.kdb -pw passw0rd -type cms -expire 3650 -stash
Generate a Self-Signed Certificate - presented by IHS to client
/opt/IBM/HTTPServer/bin/gskcapicmd -cert -create -db /opt/IBM/HTTPServer/ssl/keystore.kdb -stashed -dn "cn=bpm856.uk.ibm.com,dc=uk,dc=ibm,dc=com" -label bpm856.uk.ibm.com_ss -default_cert yes
Add Mac Personal Certificates - required to establish trust between client browser and IHS
/opt/IBM/HTTPServer/bin/gskcapicmd -cert -add -db /opt/IBM/HTTPServer/ssl/keystore.kdb -stashed -file ~/davehay1.crt
/opt/IBM/HTTPServer/bin/gskcapicmd -cert -add -db /opt/IBM/HTTPServer/ssl/keystore.kdb -stashed -file ~/davehay2.crt
Validate Key/Trust store
/opt/IBM/HTTPServer/bin/gskcapicmd -cert -list -db /opt/IBM/HTTPServer/ssl/keystore.kdb -stashed
Certificates found
* default, - personal, ! trusted, # secret key
! CN=macintosh1.uk.ibm.com,OU=ICCTE,O=IBM,L=Winchester,ST=Hampshire,C=GB
! CN=macintosh2.uk.ibm.com,OU=ICCTE,O=IBM,L=Winchester,ST=Hampshire,C=GB
*- bpm856.uk.ibm.com_ss
Add SSLClientAuthRequire directive to IHS httpd.conf
...
SSLClientAuthRequire (CN = "macintosh1.uk.ibm.com" )
…
This means that IHS will only accept requests when presented with the macintosh1.uk.ibm.com personal certificate.
Functional Test using Firefox on Client
Access IHS: -
davehay2.crt 100% 1237 1.2KB/s 00:00
Server Setup
Create Key/Trust store - required for IHS
/opt/IBM/HTTPServer/bin/gskcapicmd -keydb -create -db /opt/IBM/HTTPServer/ssl/keystore.kdb -pw passw0rd -type cms -expire 3650 -stash
Generate a Self-Signed Certificate - presented by IHS to client
/opt/IBM/HTTPServer/bin/gskcapicmd -cert -create -db /opt/IBM/HTTPServer/ssl/keystore.kdb -stashed -dn "cn=bpm856.uk.ibm.com,dc=uk,dc=ibm,dc=com" -label bpm856.uk.ibm.com_ss -default_cert yes
Add Mac Personal Certificates - required to establish trust between client browser and IHS
/opt/IBM/HTTPServer/bin/gskcapicmd -cert -add -db /opt/IBM/HTTPServer/ssl/keystore.kdb -stashed -file ~/davehay1.crt
/opt/IBM/HTTPServer/bin/gskcapicmd -cert -add -db /opt/IBM/HTTPServer/ssl/keystore.kdb -stashed -file ~/davehay2.crt
Validate Key/Trust store
/opt/IBM/HTTPServer/bin/gskcapicmd -cert -list -db /opt/IBM/HTTPServer/ssl/keystore.kdb -stashed
Certificates found
* default, - personal, ! trusted, # secret key
! CN=macintosh1.uk.ibm.com,OU=ICCTE,O=IBM,L=Winchester,ST=Hampshire,C=GB
! CN=macintosh2.uk.ibm.com,OU=ICCTE,O=IBM,L=Winchester,ST=Hampshire,C=GB
*- bpm856.uk.ibm.com_ss
Add SSLClientAuthRequire directive to IHS httpd.conf
...
SSLClientAuthRequire (CN = "macintosh1.uk.ibm.com" )
…
This means that IHS will only accept requests when presented with the macintosh1.uk.ibm.com personal certificate.
Functional Test using Firefox on Client
Access IHS: -
https://bpm856.uk.ibm.com:8443/
When prompted, choose to present macintosh1.uk.ibm.com personal certificate
Should be able to access IHS, as IHS "trusts" this certificate via the SSLClientAuthRequire directive.
Close Firefox
Re-run functional test - choose macintosh2.uk.ibm.com personal certificate
Should receive "You don't have permission to access / on this server." and this message: -
[Wed Aug 24 19:59:49 2016] [error] [client 192.168.153.1] [7feb140008c0] [31411] SSL0279E: SSL Handshake Failed due to fatal alert from client. Client sent fatal alert [level 2 (fatal), description 48 (unknown_ca)] [192.168.153.1:60794 -> 192.168.153.200:8443] [19:59:49.000695476] 0ms
in IHS error_log, and: -
When prompted, choose to present macintosh1.uk.ibm.com personal certificate
Should be able to access IHS, as IHS "trusts" this certificate via the SSLClientAuthRequire directive.
Close Firefox
Re-run functional test - choose macintosh2.uk.ibm.com personal certificate
Should receive "You don't have permission to access / on this server." and this message: -
[Wed Aug 24 19:59:49 2016] [error] [client 192.168.153.1] [7feb140008c0] [31411] SSL0279E: SSL Handshake Failed due to fatal alert from client. Client sent fatal alert [level 2 (fatal), description 48 (unknown_ca)] [192.168.153.1:60794 -> 192.168.153.200:8443] [19:59:49.000695476] 0ms
in IHS error_log, and: -
192.168.153.1 - - [24/Aug/2016:19:59:56 +0100] "GET / HTTP/1.1" 403 273
192.168.153.1 - - [24/Aug/2016:19:59:56 +0100] "GET /favicon.ico HTTP/1.1" 403 284
192.168.153.1 - - [24/Aug/2016:19:59:56 +0100] "GET /favicon.ico HTTP/1.1" 403 284
192.168.153.1 - - [24/Aug/2016:19:59:56 +0100] "GET /favicon.ico HTTP/1.1" 403 284
192.168.153.1 - - [24/Aug/2016:19:59:56 +0100] "GET /favicon.ico HTTP/1.1" 403 284
in IHS access_log, all because macintosh2.uk.ibm.com is NOT in the SSLClientAuthRequire directive.
As we discovered, the directive isn't a catch-all - the match has to be 100%, wildcards aren't an option - the match has to be for the precise value of the certificate's CN ( in this case ).
If, for example, a certificate has a wildcard ( * ) in the CN, such as *.uk.ibm.com, that's precisely what needs to go in the directive, wrapped in double-quotes.
This is nicely documented here: -
Simple when you know how :-)
No comments:
Post a Comment