When an ABL client initiates an HTTPS connection request with a PAS for OpenEdge instance, the client must include certain details in its request so that, in addition to the mandatory server authentication, the client authentication is performed during the TLS handshake.

Note: You can configure an ABL client for either TLS client or HTTP basic authentication (using user ID and password) but not both.

The steps in this procedure involve the use of the pkiutil command utility, which provides the operations to create and manage keystore entries for OpenEdge clients and PAS for OpenEdge instances. These operations include the ability to generate a Privacy-Enhanced Mail (PEM)-formatted file using the private certificate. A PEM file is an encrypted file that contains keystore information.

For more information about the syntax and usage of the pkiutil utility, see pkiutil in Manage Keys and Certificates.

To obtain a private key and digital certificate for an ABL client:

  1. Create the private and public key pair for the ABL client: 
    pkiutil -keysize 2048 -newreq client_alias

    In the preceding command, client_alias represents the name that corresponds to the keystore entry for the certificate and keys for the ABL client. When you execute this command, you are prompted for a password. You must use this password to access that keystore entry.

  2. Submit the public key file (client_alias.pk10) to a certificate authority (CA) to request a signed certificate.

    The CA returns both your public key that the CA signed (your signed certificate), and the public certificate of the CA (the root certificate). These certificates have either a .crt or a .cer extension, for example, client_private.cer and client_public.cer. You can rename the certificates.

    Make sure that you save all certificates in a directory outside the OpenEdge installation directory. This ensures that the certificates are not deleted when you uninstall or re-install OpenEdge.

  3. Import the client certificate (client_private.cer) into the client keystore:
    pkiutil -import client_alias client_private_certificate_dir\client_private.cer

    In the preceding command, client_private_certificate_dir represents the location where you stored the client certificate that you received from the CA.

    In this procedure, client_private.pem is generated.

    Note: The keystore in the OpenEdge installation directory is the client identity keystore.
  4. When you are prompted, enter the password you used when you created the certificate and keys in Step 1. The pkiutil utility creates a certificate in a file, with the .pem extension, in the OpenEdge-install-dir\keys directory.
  5. Use the following parameters in the CONNECT() method for the server handle in the ABL client procedure:
Table 1. ABL client parameters for TLS client authentication
Parameter Description
-sslAuth authentication_type
  • Specifies if access to HTTPS requires TLS client authentication.
  • Set this parameter to ssl to enable client authentication for HTTPS access.
  • If the parameter is set to basic, then the CONNECT() method for the server handle does not perform client authentication. The default is basic.
-sslKeyFile filename
  • Specifies the location of the client certificate (client_private.pem) file.
  • If you do not specify the absolute path of client_certificate_filename.pem, then the connection operation searches for the certificate file in the OpenEdge_install-dir\keys directory.
  • If -sslAuth is set to ssl, then the -sslKeyFile parameter must be specified. Otherwise, client authentication is not performed.
-sslKeyPwd password
  • Specifies the password used to encode and access the client's private key contained in client_certificate_filename.pem.
  • The password can be in cleartext or encoded using the genpassword utility.