Before you can use client authentication, you must complete a set of configuration tasks in PAS for OpenEdge:

  1. Import the CA root certificate of the ABL client into the trust keystore used by the PAS for OpenEdge instance.
  2. Enable TLS client authentication in the HTTPS port.
  3. Configure Tomcat user accounts.
  4. Set the container login model of the ABL web application.
  5. Ensure that HTTPS support is enabled in your production instance.

To configure a PAS for OpenEdge instance for client authentication:

  1. Import the CA root certificate of the ABL client into the trust keystore of the instance:
    keytool -importcert -alias CA_certificate-alias -keystore instance-name\conf\tomcat-certstore.p12 -trustcacerts -file CA_certificate_filepath.cer -storepass storepass  -noprompt

    The CA root certificate is required to establish trust for the client certificate during an HTTPS connection.

    In the preceding command syntax:

    • CA_certificate-alias—The alias of the CA root certificate in the trust keystore
    • instance-name—The path of the PAS for OpenEdge instance directory on your machine
    • CA_certificate_filepath—The full directory path of the ABL client's CA root certificate that you are importing into the trust keystore of the instance
    • storepass—The trust keystore password
    Note: You must also import all required intermediate certificates into the trust keystore of the PAS for OpenEdge instance.
  2. Configure the HTTPS port of the instance:
    1. Enable HTTPS client authentication for the instance by setting the value of the psc.as.https.clientauth property to required:
      tcman config psc.as.https.clientauth=required

      Note that this property has two additional values that can be specified: none and optional.

      If the property is set to:
      • none, which is the default value, then client authentication is disabled.
      • optional, then client authentication is performed if a client presents its certificate. But if the client does not present a certificate, then no authentication is performed, and a connection request is accepted.
      • required, then client authentication must be performed for all ABL web applications deployed to the instance.
  3. Configure a user account (username, password, and roles) in the instance-name\conf\tomcat-users.xml file for each client that must use client authentication.

    When a client is successfully authenticated, Tomcat validates the client against the corresponding user account configured in the tomcat-users.xml file. Tomcat then grants or denies the client access to the instance according to the role that is defined for the user. The user account consists of comma-separated values, such as country (C), state (ST), organization (O), organizational unit (OU), and domain name server (CN). Note that you enter these details when you create your client certificate.

    The following is an example user account added to the tomcat-users.xml file:
    <user username="C=US,ST=client,O=Progress,OU=Openedge,CN=www.progress.com" password="password" roles="ROLE_PSCAdmin,ROLE_PSCOper,ROLE_PSCUser" />
    Note:
    • Use the pkiutil -list command on the ABL client to retrieve details about the client username.
    • Username details are displayed in the opposite order in the command window, starting with CN and ending with C. When you add the details to tomcat-users.xml, enter them in the following order: C, ST, O, OU, and CN.
    • The user ID in the CLIENT-PRINCIPAL object is set to the Distinguished Name (DN) in the client certificate. The following is an example of the CLIENT-PRINCIPAL user ID:
      "CN=www.progress.com,OU=Openedge,O=Progress,ST=client,C=US"
  4. Configure your ABL web application:

Configure the ABL web application security

The Spring Security framework, which is an integral part of PAS for OpenEdge, is adaptable to a wide variety of authentication models and architecture. To configure security for your ABL web application, you must enable Spring Security in the PAS for OpenEdge instance:

  1. Open the instance-name\webapps\webapp-name\WEB-INF\oeablSecurity.properties file.
  2. Enable Spring Security in the instance by setting the apsv.security.enable property to container.
  3. Enable HTTPS client authentication in the <login-config> element in the instance-name\webapps\webapp-name\WEB-INF\web.xml deployment descriptor file:
    <login-config>
	<auth-method>CLIENT-CERT</auth-method>
	<realm-name>OpenEdge</realm-name>
</login-config>

    For ease of configuration, the web.xml-clientcert deployment descriptor file is provided in the same directory as the web.xml deployment descriptor file. The web.xml-clientcert file includes the required login configuration and security constraints. Make a backup copy of the web.xml file, and then rename the web.xml-clientcert file to web.xml.

    By default, the security constraint defined in the web.xml-clientcert deployment descriptor file applies to all ABL web application transports. Customize the <url-pattern> element inside the <security-constraint> element according to your business needs.

    The following is an example <security-constraint> element definition that restricts container security to the APSV transport:
    <security-constraint>
        <display-name>PASOE oeabl Security Constraint</display-name>
        <web-resource-collection>
            <web-resource-name>Protected Area</web-resource-name>
            <url-pattern>/apsv/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>ROLE_PSCUser</role-name>
        </auth-constraint>
    </security-constraint>
  4. To use TLS Client authentication for Webapp using APSV transport, perform the following:
    1. Open the instance-name\webapps\webapp-name\WEB-INF\oeablSecurity.properties file.
    2. Set client.login.model=container.
    3. Take a back-up of instance-name\webapps\webapp-name\WEB-INF\oeablSecurity.csv file.
    4. Open the instance-name\webapps\webapp-name\WEB-INF\oeablSecurity.csv file.
    5. In the "APSV Container Login model Configuration" section, uncomment the following line:

      "/apsv/**","OPTIONS","hasAnyRole('ROLE_PSCUser','ROLE_ANONYMOUS')".

      And, comment the following:

      "/apsv/**","OPTIONS","hasAnyRole('ROLE_PSCUser')".

    6. Then save and close the file.