When you use TLS to secure data transfer between a client application and a server (in this case, PAS for OpenEdge), then the server presents its certificate, digitally signed by a third-party certificate authority (CA), to the client application during the TLS handshake. Authenticating and establishing the identity of the server is part of the TLS handshake. This process is how the client validates its connection to the intended server.

Depending upon your business and security needs, you can also configure a client to authenticate its identity to the server. The configuration in which both the server and client authenticate is referred to as mutual authentication. Before you can use client authentication, the intended server must be configured to require a client certificate.

TLS client authentication is supported for SOAP, REST, WEB, and static file access via PAS for OpenEdge, and for ABL clients connecting to PAS for OpenEdge over APSV.

For more information about TLS in PAS for OpenEdge, see Use TLS in PAS for OpenEdge in Manage Progress Application Server (PAS) for OpenEdge.

How client authentication works

The workflow when using client authentication is as follows:

  1. The client sends a message to the server (a PAS for OpenEdge instance). The message contains details about the client identity and other security-related information.
  2. The server responds with a message by sending its signed digital certificate and other security information required by the client.
  3. Upon successful authentication, the client sends its digital certificate to the server. Note the server must be configured to require the client certificate.
  4. The server authenticates the client based on the digital certificate.
  5. After the client and server are each authenticated, data transmission between the client and server begins.

Public and private keys, digital certificates, and trusted CAs

Private keys and digital certificates establish and verify identity and trust. TLS uses public key encryption for authentication. With public key encryption, a public key and a private key are generated. Data encrypted with the public key can only be decrypted using the corresponding private key. The public key is embedded in a digital certificate. A private key and a digital certificate provide identity for the ABL client.

The data embedded in a digital certificate is verified by a certificate authority (CA) and is digitally signed with the digital certificate of the CA. The digital certificate of the CA establishes trust.

Main steps for configuring client authentication

The main steps for configuring client authentication are:

  1. Set up the client:
    1. Generate a public and private key pair.
    2. Generate a Certificate Signing Request (CSR) and submit it to a CA.
    3. Store the certificate that is signed and returned by the CA.
  2. Configure the PAS for OpenEdge instance to require client certificates.