Before you can use client authentication, you must complete a set of configuration tasks in PAS for OpenEdge. These tasks include:

  1. Importing the CA root certificate of the ABL client into the trust keystore used by the PAS for OpenEdge instance
  2. Enabling TLS client authentication in the HTTPS port
  3. Configuring Tomcat user accounts
  4. Setting the container login model of the ABL web application
  5. Ensuring that HTTPS support is enabled in your production instance

Complete the following steps to configure a PAS for OpenEdge instance for client authentication:

  1. Import the CA root certificate of the ABL client into the trust keystore of the instance:
    keytool -importcert -alias CA_certificate-alias -keystore instance-name\conf\tomcat-certstore.jks -trustcacerts -file CA_certificate_filepath.cer -storepass storepass  -noprompt

    The CA root certificate is required in establishing trust for the client certificate during an HTTPS connection.

    In the preceding command syntax:

    • CA_certificate-alias—Represents the alias of the CA root certificate in the trust keystore
    • instance-name—Represents the path of the PAS for OpenEdge instance directory on your machine
    • CA_certificate_filepath—Represents the full directory path of the ABL client's CA root certificate that you are importing into the trust keystore of the instance
    • storepass—Represents the trust keystore password
    Note: You must also import all required intermediate certificates into the trust keystore of the PAS for OpenEdge instance.
  2. Configure the HTTPS port of the instance:
    1. Enable HTTPS client authentication for the instance by setting the value of the psc.as.https.clientauth property to required:
      tcman config psc.as.https.clientauth=required

      Note that this property has two additional values that can be specified: none and optional.

      If the property is set to:
      • none, which is the default value, then client authentication is disabled.
      • optional, then client authentication is performed if a client presents its certificate. But if the client does not present a certificate, then no authentication is performed, and a connection request is accepted.
      • required, then client authentication must be performed for all ABL web applications deployed to the instance.
  3. Configure a user account (username, password, and roles) in the instance-name\conf\tomcat-users.xml file for each client that must use client authentication.

    When a client is successfully authenticated, Tomcat validates the client against the corresponding user account configured in tomcat-users.xml. Tomcat then grants or denies the client access to the instance according to the role that is defined for the user. The user account consists of comma-separated values, such as country (C), state (ST), organization (O), organizational unit (OU), and domain name server (CN). Note that you enter these details when you create your client certificate.

    The following is an example user account added to the tomcat-users.xml file:
    <user username="C=US,ST=client,O=Progress,OU=Openedge,CN=www.progress.com" password="password" roles="ROLE_PSCAdmin,ROLE_PSCOper,ROLE_PSCUser" />
    Note:
    • Use the pkiutil -list command on the ABL client to retrieve details of the client username.
    • Username details are displayed in the opposite order in the command window, starting with CN and ending with C. When you add the details to tomcat-users.xml, enter them in the following order: C, ST, O, OU, and CN.
    • The user ID in the ClientPrincipal object is set to the Distinguished Name (DN) in the client certificate. The following is an example of the ClientPrincipal user ID:
      "CN=www.progress.com,OU=Openedge,O=Progress,ST=client,C=US"
  4. Configure your ABL web application:

Configure ABL web application security

The Spring Security framework, which is an integral part of PAS for OpenEdge, is adaptable to a wide variety of authentication models and architecture. To configure security for your ABL web application, you must enable Spring Security in the PAS for OpenEdge instance, as described in the following steps:

  1. Open the instance-name\webapps\webapp-name\WEB-INF\oeablSecurity.properties file.
  2. Enable Spring Security in the instance by setting the apsv.security.enable property to container.
  3. Enable HTTPS client authentication in the <login-config> element in the instance-name\webapps\webapp-name\WEB-INF\web.xml deployment descriptor file.
    For example: 
    <login-config>
					<auth-method>CLIENT-CERT</auth-method>
					<realm-name>OpenEdge</realm-name>
</login-config>

    For ease of configuration, the web.xml-clientcert deployment descriptor file is provided in the same directory as the web.xml deployment descriptor file. The web.xml-clientcert file includes the required login configuration and security constraints. Make a backup copy of the web.xml file, and then rename the web.xml-clientcert file to web.xml.

    By default, the security constraint defined in the web.xml-clientcert deployment descriptor file applies to all ABL web application transports. Simply customize the <url-pattern> element inside the <security-constraint> element according to your business needs.

    The following is an example <security-constraint> element definition that restricts container security to the APSV transport:
    <security-constraint>
        <display-name>PASOE oeabl Security Constraint</display-name>
        <web-resource-collection>
            <web-resource-name>Protected Area</web-resource-name>
            <url-pattern>/apsv/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>ROLE_PSCUser</role-name>
        </auth-constraint>
    </security-constraint>