Information

Title	Does Progress support client-side digital certificates with SSL?

URL Name	Progress-support-client-side-digital-certificates-with-SSL

Article Number	000176256

Environment	Product: OpenEdge Version: All supported versions OS: All supported platforms Other: Security, SSL/TLS

Question/Problem Description

Does Progress support client-side digital certificates with SSL?
Does OpenEdge support two-way SSL?
How to use client-side digital certificates within SSL enabled ABL connections?
Is ABL capable of using SSL client-side digital certificates?
Does the Progress ABL client support mutual authentication?
Does .NET Open Client support two ways SSL?
Does the ABL support client-side SSL verification?
Does the ABL support bi-directional SSL verification?
Does the ABL support verifying that the SSL client is "who it says it is"?
Can authentication be enforced using a client-side certificate
Does the HTTP client support SSL client authentication for consuming REST Web Services?
Does the HTTP client support SSL/TLS mutual authentication ?
Does the HTTP client support SSL/TLS two-way authentication ?

Steps to Reproduce

Clarifying Information

Client side verification is the reverse of normal SSL verification.

Normal SSL verification ensures that the server the client is connecting to is, in fact, the real server.
Client-side SSL verification is when the server is able to verify, via SSL, that the client is who the client says it is.

Error Message	Secure Socket Layer (SSL) failure. error code 17424: SSL Routines (9318) Secure Socket Layer (SSL) failure. error code <err_number>: <ssl_error_message> (9318) An error occurred processing an SSL API request. This could be a general TCP network error or an error processing the validation of the digital certificate.

Defect Number

Enhancement Number

Cause

Except for the Web Services client and the HTTP Client, Progress OpenEdge does not currently implement Client-side Digital Certificate support within the ABL. This includes all OpenEdge ABL and OpenClient products.

Resolution

ABL / HTTP Client

Starting with OpenEdge 12.4 client-side TLS authentication has been implemented for the ABL client socket and with that also for the HTTP Client.
For further information, please refer to the documentation: Configure TLS security settings.

Web Services Client

Starting with OpenEdge 11.4, client authentication has been implemented for the Web Services client. For further information, refer to article# Does the OpenEdge client support SSL client authentication for consuming SOAP Web Services ?

Other components do not provide support for client-side certificates at this time.

Progress Application Server for OpenEdge (PASOE)

PASOE fully supports HTTPS client authentication for all available transports (ABL, REST, SOAP).

In order to enable HTTPS client authentication:

Open OE Explorer/Management Console
Edit the PAS instance configuration
In the property configuration page, Select the Advanced tab
Locate the psc.as.https.clientauth setting and set it to true (see attachment)

HTTPS client authentication can also be changed with the following command:

$ tcman config psc.as.https.clientauth=true

PASOE supports TLS client-authentication for HTTP type clients via Tomcat's https connector.
It is standard Tomcat functionality and PASOE does not do anything to enhance it or degrade it.
When using TLS client-authentication, configure the web application's Spring Security for the 'container' security model, and define the Tomcat ROLE names used in the updated WEB-INF/web.xml.
The Spring Security container security model bridges the Tomcat servlet security with Spring Security's authentication and URL authorization processes.
So you get the ability to use Tomcat's TLS client-authentication with the same Spring Security authorization and Client-Principal handling.

Other components

It was determined that the Progress Product is functioning as designed.

An enhancement to the product can be requested through the Progress Community via an Ideas submission. To promote the Customer feedback is valuable and Idea submissions are monitored by our Product Management team. Enhancement requests are reviewed during the planning phase of each new product release and a list of the enhancements chosen for implementation can be found in the Release Notes documents that accompany each release. Once an Idea is submitted the Progress Software Community will have the opportunity to comment on and vote for the Idea. It's priority will be evaluated as customer demand weighs in through Article Feedback and through vote count in the Ideas Portal

For detailed information on how to submit an Idea, please refer to Knowledge Base article: How to submit an enhancement request for a Progress product?

Workaround

For the Classic AppServer, one of the following alternatives can be used:

Use STunnel (www.stunnel.org) as a proxy between the (Web) Sevice and the OpenEdge client.
Use the .NET or Java OpenClient to communicate with the (Web) Service by using a .NET or Java front-end and the OpenEdge AppServer as the back-end.
Generate a .NET client-side proxy using a .NET development environment and then use that proxy with ABL for .NET programming to call the (Web) Service. Please note that non-UI objects are only supported since OpenEdge 10.2B02.
Use Sonic to call the (Web) Service in combination with the OpenEdge SonicMQ Adapter.

These alternatives rely on 3rd-party technology, further assistance for these is outside the scope of Progress Technical Support.

Notes

References to Other Documentation:

Progress Article(s):
Does the OpenEdge client support SSL client authentication for consuming SOAP Web Services ?
How to enable SSL debugging in OpenEdge?
OpenEdge WebService client fails to connect to a secure WebService with error code 17426
Getting started with HTTP client for OpenEdge

Keyword Phrase

Last Modified Date	9/4/2023 3:19 PM