Mutual Authentication – PB Docs 120


Mutual Authentication

If mutual authentication is required, the server and client
must authenticate each other to ensure that both can be trusted.

By default, EAServer 6.x uses 2002 as the port for this type of
SSL connection.

Both the server�s certificate and the client�s
certificate must be imported into the Microsoft certificate store
on the client computer as described in Importing an EAServer Certificate into the Client Certificate Store.

Note:

The client�s certificate file must include the private
key for the client�s certificate. The server�s
certificate file need not include its private key.

The server certificate used for mutual authentication cannot
be the same as the certificate used for server-only authentication.
Make sure you obtain the correct certificate file.

For mutual authentication, the client�s certificate
file must be imported into the certificate store on the client computer and it
must be available in the file system on the client computer, because
it is referenced in the PowerScript code required to connect to
EAServer.

Two new key/value pairs in the Options property of
the Connection object are used for mutual authentication:

  • ORBclientCertificateFile is used to specify the
    file name of the client certificate file.

  • ORBclientCertificatePassword is used to specify
    the password for the certificate if any. There is no need to use
    this key if the certificate is not protected by password.

Connection code

In the PowerScript connection code, change the EAServer host�s
address to a URL that begins with �iiops� and
ends with the correct SSL port. The following sample code connects
to an EAServer host that requires mutual authentication:

Configuration step required for Web Forms and Web services

For mutual authentication, PowerBuilder .NET Web Forms applications
and .NET Web services that are clients for EAServer require that
the ASPNET account on the IIS server have access to the private
key of the client certificate. Access to the private key of the
server certificate is not required.

Use the Windows HTTP Services Certificate Configuration Tool (WinHttpCertCfg.exe)
to configure client certificates. You can download this tool from
the Microsoft Download Center.

To grant access rights to the private key of the client certificate
for the ASPNET account on the IIS server, type the following commands
at a command prompt:

These commands assume that the tool is installed in the default
location at C:Program FilesWindows
Resource KitsTools
and that the client certificate’s subject
name is �ABC�. The -s argument
is equivalent to the Issued To field in the MMC. The ASPNET account
is valid for XP computers. You should use the �NetworkService� account
for other Windows platforms. For the -c argument,
always use �LOCAL_MACHINEMY� rather
than the actual name of the local computer.

For more information about the configuration tool�s
options, type WinHttpCertCfg -help at
the command prompt. For more information about installing client
certificates for Web applications and services, see the Microsoft Help and Support site.


Document get from Powerbuilder help
Thank you for watching.
Was this article helpful?
Subscribe
Notify of
guest
0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x