Mutual TSL /Client Certifcate authentication

[JamesBowen]

I have a requirement to expose a PASOE for WEB & AppServer to the internet.
The security requirement is that the client's public certificate is loaded into PASOE/tomcat.
So as part of TLS handshake process the client will present their public certificate (Client Certificate Authentication / mutual TLS) and we match that certificate with what we already have loaded.

Is this something that PASOE supports by allowing multiple public certificates to be loaded on the server?

 

[peterjudge]

It does, but is version dependent. It looks like you need at least 12.2 for the server side. See Progress Documentation

For the ABL client side, support for client certificates was added a few releases later. Like 12.4 and 12.5 if memory serves.

 

[Stefan]

PASOE 12.x uses Tomcat 9.0.

Apache Tomcat 9 (9.0.73) - SSL/TLS Configuration How-To contains:

Using name-based virtual hosts on a secured connection requires careful configuration of the names specified in a single certificate or Tomcat 8.5 onwards where Server Name Indication (SNI) support is available. SNI allows multiple certificates with different names to be associated with a single TLS connector.

 

[JamesBowen]

Currently running on OE 11.7.x. Upgrading to 12.x is not an option at this stage.

I am wondering whether to use Cloudflare to act as the first line of defence and it can handle the Client Certificate authentication for inbound request.

Follow up question, can 11.7.x PASOE/tomcat handle IP address whitelisting?

 

[peterjudge]

> Follow up question, can 11.7.x PASOE/tomcat handle IP address whitelisting?

Yep. This page refers to it, using the remote address valve in Tomcat.