When an ABL client initiates an HTTPS connection request with a PAS for OpenEdge instance, the client must include certain details in its request so that, in addition to the mandatory server authentication, client authentication is performed during the TLS handshake.

Note: You can configure an ABL client for either TLS client or HTTP Basic authentication (using user ID and password) but not both.

The steps in this procedure involve the use of the pkiutil command utility, which provides all the operations necessary to create and manage keystore entries for OpenEdge clients and PAS for OpenEdge instances. These operations include the ability to generate a Privacy Enhance Mail (.pem)-formatted file using the private certificate. A PEM file is an encrypted file that contains keystore information.

For details about the syntax and usage of the pkiutl utility, see pkiutil in Manage OpenEdge Keys and Certificates.

Perform the following steps to obtain a private key and digital certificate for an ABL client:

  1. Create the private and public key pair for the ABL client: 
    pkiutil -keysize 2048 -newreq client_alias

    In the preceding command, client_alias represents the name that corresponds to the keystore entry for the certificate and keys for the ABL client. When you execute this command, you are prompted for a password. You must later use this password to gain access to that keystore entry.

  2. Submit the public key file (client_alias.pk10) to a certificate authority (CA) to request a signed certificate.

    The CA returns both your public key that the CA has signed (your signed certificate), and the public certificate of the CA (the root certificate). These certificates have either a .crt or a .cer extension. For example, client_private.cer and client_public.cer. You can rename the certificates as desired.

    Make sure that you save all certificates in a directory outside the OpenEdge installation directory. This ensures that the certificates are not deleted when you uninstall or re-install OpenEdge.

  3. Import the client certificate (client_private.cer) into the client keystore using the following command:
    pkiutil -import client_alias client_private_certificate_dir\
client_private.cer

    In the preceding command, client_private_certificate_dir represents the location where you have stored the client certificate that you received from the CA.

    In this procedure, client_private.pem is generated.

    Note: The keystore in the OpenEdge installation directory is the client identity keystore.
  4. When you are prompted, enter the password you used when you created the certificate and keys (see Step 1). The pkiutil utility creates a certificate in a file, with a .pem extension, in the OpenEdge-install-dir\keys directory.
  5. Use the following parameters in the CONNECT() method for the server handle in the ABL client procedure:
Table 1. ABL client parameters for TLS client authentication
Parameter Description
-sslAuth authentication_type
  • Specifies if access to HTTPS requires TLS client authentication.
  • Set this parameter to ssl to enable client authentication for HTTPS access.
  • If the parameter is set to basic, the CONNECT() method for the server handle does not perform client authentication. The default is basic.
-sslKeyFile filename
  • Specifies the location of the client certificate (client_private.pem) file.
  • If you do not specify the absolute path of client_certificate_filename.pem, the connection operation searches for the certificate file in the OpenEdge_install-dir\keys directory.
  • If -sslAuth is set to ssl, the -sslKeyFile parameter must be specified. Otherwise, client authentication is not performed.
-sslKeyPwd password
  • Specifies the password to encode and access the client's private key contained in client_certificate_filename.pem .
  • The password can be in cleartext or encoded using the genpassword utility.