Infoclient connection with mTLS

<< Click to display Table of Contents >>

Navigation:  Client Applications > The Cordaware Infoclient > Configuration >

Infoclient connection with mTLS

1. Issue and trust certificates

First, you have to issue the certificates. It is important that the server and client certificates are issued by the same CA (Certification Authority). The server and each client must trust the root certificate and each client must also trust its client certificate.

To do this, each of these must be imported into the MMC (Microsoft Management Console). Open the MMC and go to the path (Certificates (Local Computer) > Own Certificates), right-click on "Own Certificates", then on "All Tasks" and then on "Import". You can also distribute the certificates with software distribution.

 

Change certificate store (optional)

If you want to change the certificate store under which Cordaware bestinformed searches for the certificate, proceed as follows:

 

Open the configuration app in your Cordaware bestinformed web interface and create a new configuration.

Set the type to Custom and check "Open-end" under "Advanced time settings".

Now set the checkmark at "User-defined sections" and enter the following:

 

[General]

ClientCertificateStorageAccessTypes=NAME

 

The variable NAME is replaced by the name here.

 

The default setting is:

 

[General]

ClientCertificateStorageAccessTypes=CurrentUser

 

If the client certificate has been given a custom CN, then this must be explicitly specified. In addition, add the following to your configuration:

 

[General]

ClientCertificate=CUSTOM_CERTIFICATE_CN

 

The variable CUSTOM_CERTIFICATE_CN is replaced by the common name.

 

If you do not include this line, then the client certificate names are dynamically tailored to each user automatically.

 

Leave the recipients empty to send the configuration to all clients.

 

 

Setting

Allowed values / default value

Function

ClientCertificateStorageAccessTypes

CurrentService, CurrentUser, CurrentUserGroupPolicy, LocalMachine, LocalMachineEnterprise, LocalMachineGroupPolicy, Services, Users (Default=CurrentUser)

Defines the certificate storage that is accessed by Cordaware bestinformed.

ClientCertificateSystemStores

MY, CA, ROOT, SYSTEM (Default=MY)

Defines the location of the system where the certificates are stored.

ClientCertificate

username.hostname, computername.domainname,  commonname,  hostname,   CUSTOM_CERTIFICATE_CN

(Default=username.hostname)

If the client certificate has been given a user-defined CN, then this must be explicitly specified here. Without this entry, the client certificate names are dynamically tailored to each user automatically.

 

By default, this setting is set to username.hostname.

 

Example:

 

If the Windows login name is e.g. max.mustermann and the hostname of the server is cordaware.firma.local, then the Infoclient will expect a client certificate which has max.mustermann.cordaware.firma.local as CN.

 

 

 

2. Import certificates into Cordaware bestinformed.

 

Open the path "/Cordaware/best_srv/etc/certs". Now copy your certificates into this folder.

 

Then open the file "app.config" in the path "/Cordaware/best_srv/data/configs".

Search for "8431" in the document and replace the names of the following certificates below it:

 

{keyfile,"etc/certs/best_key.pem"}, -> {keyfile,"etc/certs/SERVER_KEY_NAME"},

 

{certfile,"etc/certs/best_cert.pem"}, -> {certfile,"etc/certs/SERVER_CERTIFICATE_NAME"},

 

Then insert the following line:

 

{cacertfile,"etc/certs/CA_CERTIFICATE_NAME"},

 

The variables SERVER_KEY_NAME, SERVER_CERTIFICATE_NAME and CA_CERTIFICATE_NAME are replaced by the respective file names.

 

After that, delete the line with the content "{handshake, hello}" and the "," in the line above to deactivate PSK.

 

Before

After

{listeners, [

 {'buri:ssl', {"0.0.0.0",8431}, [

   {acceptors,   100},

   {max_connections, 500000},

   {access,[{allow,all}]},

   {active_n,100},

   %{proxy_header,true}, if behind load balancer

   %% SSL certificate and key files

   {ssl_options,

     [{ciphers, [

       "ECDHE-ECDSA-AES256-GCM-SHA384",

       "ECDHE-RSA-AES256-GCM-SHA384",

       "ECDHE-ECDSA-AES128-GCM-SHA256",

       "ECDHE-RSA-AES128-GCM-SHA256"]},

       {keyfile,"etc/certs/best_key.pem"},

       {certfile,"etc/certs/best_cert.pem"},

       {fail_if_no_peer_cert,false},

       {versions,['tlsv1.2']}, % 1.2 only, later if release 1.3 only

       {honor_cipher_order, true}, % only our cipher

       {honor_ecc_order, true}, % only our ecc

       {verify, verify_none},

       {reuse_sessions,true},

       {handshake, hello}

     ]},

   %% Socket Options

   {tcp_options,[{backlog,1024},{nodelay,true}]}

 ]}

]}]},

{listeners, [

 {'buri:ssl', {"0.0.0.0",8431}, [

   {acceptors,   100},

   {max_connections, 500000},

   {access,[{allow,all}]},

   {active_n,100},

   %{proxy_header,true}, if behind load balancer

   %% SSL certificate and key files

   {ssl_options,

     [{ciphers, [

       "ECDHE-ECDSA-AES256-GCM-SHA384",

       "ECDHE-RSA-AES256-GCM-SHA384",

       "ECDHE-ECDSA-AES128-GCM-SHA256",

       "ECDHE-RSA-AES128-GCM-SHA256"]},

       {keyfile,"etc/certs/<SERVER_KEY_NAME>"},

       {certfile,"etc/certs/<SERVER_CERTIFICATE_NAME>"},

       {cacertfile,"etc/certs/<CA_CERTIFICATE_NAME>"},

       {fail_if_no_peer_cert,false},

       {versions,['tlsv1.2']}, % 1.2 only, later if release 1.3 only

       {honor_cipher_order, true}, % only our cipher

       {honor_ecc_order, true}, % only our ecc

       {verify, verify_none},

       {reuse_sessions,true}

     ]},

   %% Socket Options

   {tcp_options,[{backlog,1024},{nodelay,true}]}

 ]}

]}]},

 

3. Only allow connections with client certificates.

 

Change the following values in the lines below:

 

{fail_if_no_peer_cert, false}, -> {fail_if_no_peer_cert, true},

 

{verify, verfiy_none}, -> {verify, verify_peer},

 

Before

After

{listeners, [

 {'buri:ssl', {"0.0.0.0",8431}, [

   {acceptors,   100},

   {max_connections, 500000},

   {access,[{allow,all}]},

   {active_n,100},

   %{proxy_header,true}, if behind load balancer

   %% SSL certificate and key files

   {ssl_options,

     [{ciphers, [

       "ECDHE-ECDSA-AES256-GCM-SHA384",

       "ECDHE-RSA-AES256-GCM-SHA384",

       "ECDHE-ECDSA-AES128-GCM-SHA256",

       "ECDHE-RSA-AES128-GCM-SHA256"]},

       {keyfile,"etc/certs/<SERVER_KEY_NAME>"},

       {certfile,"etc/certs/<SERVER_CERTIFICATE_NAME>"},

       {cacertfile,"etc/certs/<CA_CERTIFICATE_NAME>"},

       {fail_if_no_peer_cert,false},

       {versions,['tlsv1.2']}, % 1.2 only, later if release 1.3 only

       {honor_cipher_order, true}, % only our cipher

       {honor_ecc_order, true}, % only our ecc

       {verify, verify_none},

       {reuse_sessions,true}

     ]},

   %% Socket Options

   {tcp_options,[{backlog,1024},{nodelay,true}]}

 ]}

]}]},

{listeners, [

 {'buri:ssl', {"0.0.0.0",8431}, [

   {acceptors,   100},

   {max_connections, 500000},

   {access,[{allow,all}]},

   {active_n,100},

   %{proxy_header,true}, if behind load balancer

   %% SSL certificate and key files

   {ssl_options,

     [{ciphers, [

       "ECDHE-ECDSA-AES256-GCM-SHA384",

       "ECDHE-RSA-AES256-GCM-SHA384",

       "ECDHE-ECDSA-AES128-GCM-SHA256",

       "ECDHE-RSA-AES128-GCM-SHA256"]},

       {keyfile,"etc/certs/<SERVER_KEY_NAME>"},

       {certfile,"etc/certs/<SERVER_CERTIFICATE_NAME>"},

       {cacertfile,"etc/certs/<CA_CERTIFICATE_NAME>"},

       {fail_if_no_peer_cert,true},

       {versions,['tlsv1.2']}, % 1.2 only, later if release 1.3 only

       {honor_cipher_order, true}, % only our cipher

       {honor_ecc_order, true}, % only our ecc

       {verify, verify_peer},

       {reuse_sessions,true}

     ]},

   %% Socket Options

   {tcp_options,[{backlog,1024},{nodelay,true}]}

 ]}

]}]},

 

Now save the file and restart the "Cordaware_bestinformed_best_srv" service afterward.

 

If you use ClientCertificateStorageAccessTypes, the client certificates must be imported into the path (Certificates (Local User) > Own Certificates).