Urgent HTTP logon with certificate

We are experiencing a strange problem. We have configured the IS to use certificates. We have setup the certificates for the server itself and also for our clients.

If our clients to logon to the IS over https, everything works fine. That is, client certificate is correctly mapped to associated user, the document from the client is correctly posted to TN as well.

As soon as the clients use the http protocol instead of https, the authentication fails. It looks like the mapping from the certificate to the user does not take place.

Has anyone experienced this behavior before? If so what is the remedy?

Quick help on this will be appreciated.

-Rajesh Rao

Rajesh,

I am not sure if I uderstand your question. HTTPS is running HTTP over SSL. The certificate authentication (for client and server) is part of the SSL protocol. If you use plain HTTP, then wm server would not request/provide any certificates for authentication as there is no SSL involved.

~tS

Rajesh,
Make sure the client uses the different port for HTTP protocol, instead of the same port which is configured for HTTPS.

Rajesh - I think Tahira is right - X.509 certificate authentication probably needs HTTPS to work.

Thanks for your replies.

If the username and password can be passed in the http header, why not certificate information. The reason I am insisting on the certificate logon with certificate, is that according to AS2 specs, client authentication SHOULD occur based on client certificate and not based on user name and password. Additionally it is mentioned that http CAN be used and it is not a MUST to use https. So if a client opts for http and would like to use client certificate for authentication, how could this be achieved?

-Rajesh Rao

The original HTTP 1.1 RFC mentions about 10 header fields, but arbitrary and experimental header fields can be added. Nothing stops certificate information being sent over HTTP headers.

However, my impression is X.509 client certificate authentication uses functionality provided by the SSL layer. i.e. The HTTPS/SSL channel is first setup (optionally with X.509 client authentication), and then HTTP request-response interaction occurs in plain text with normal headers in the channel below.

Iā€™d be interested to know if this is not the case in AS2 - can you point to publicly available specs?

Rajesh,

I think you are confusing the AS2-client/payload authentication with your connection authentication. Certificate in HTTPS/SSL is providing the connection authentication/encryption. The actual client authentication for AS2 happens when one successfully verifies signature of the sender/payload sent over either plain HTTP or secured HTTPS connection. The payload/AS2 ceritificate setup in your TN for client authentication could be different (and often are) than the one used to connect to your server.
I once looked at the AS2 specs/RFC and if I remember correctly both the payload and connection security were optional, i.e., you could send an AS2 message in plain text (not signed/encrypted) over a plain HTTP connection thus having no security.

~tS

Thanks Sonam, Thahira for your replies.

Sonam:
The information on AS2 specs can be found at
[url=ā€œhttp://www.ietf.org/internet-drafts/draft-ietf-ediint-as2-20.txtā€]http://www.ietf.org/internet-drafts/draft-ietf-ediint-as2-20.txt[/url]

Tahira:
Authentication is the process where the receiving server recognizes that the incoming request is from the valid client using either user/pass or certificate.
From my understanding, only non repudiation and data integrity of the message are achieved using the digital signature and not authentication of the client. If it is not so, please let me know.

-Rajesh Rao

Rajesh,

Authentication in terms of AS2 is authenticating who the sender was, which is done by verifying the signature, not what certificate was used to connect to the server. The authentication certificate (as you point out) can be different than the one used in AS2 setup and thus may not be involved in the AS2 operations.
As your link for AS2 states - both the payload and connection are optional.
The security/client authentication you are talking is not related with AS2 but is the client side SSL authentication.

~tS

Rajesh,

Another thought - I have worked with a few packages (used by our clients) that are Drumming group AS2 certified but did not support the client SSL authentication as it is not part of the AS2 standard.

~tS