Mutual Authentication

If mutual authentication is required, the server and client must authenticate each other to ensure that both can be trusted.

By default, EAServer 6.x uses 2002 as the port for this type of SSL connection.

Both the server’s certificate and the client’s certificate must be imported into the Microsoft certificate store on the client computer as described in Importing an EAServer Certificate into the Client Certificate Store.

Note:

The client’s certificate file must include the private key for the client’s certificate. The server’s certificate file need not include its private key.

The server certificate used for mutual authentication cannot be the same as the certificate used for server-only authentication. Make sure you obtain the correct certificate file.

For mutual authentication, the client’s certificate file must be imported into the certificate store on the client computer and it must be available in the file system on the client computer, because it is referenced in the PowerScript code required to connect to EAServer.

Two new key/value pairs in the Options property of the Connection object are used for mutual authentication:

ORBclientCertificateFile is used to specify the file name of the client certificate file.
ORBclientCertificatePassword is used to specify the password for the certificate if any. There is no need to use this key if the certificate is not protected by password.

Connection code

In the PowerScript connection code, change the EAServer host’s address to a URL that begins with “iiops” and ends with the correct SSL port. The following sample code connects to an EAServer host that requires mutual authentication:

Connection myconnect
int rc

myconnect = create Connection

myconnect.Application = "pbtest"
myconnect.Driver = "jaguar"
myconnect.UserID = "admin@system"
myconnect.Password = "sybase"
myconnect.Location = "iiops://mydesktop:2002"
myconnect.Options = "ORBclientCertificateFile=
'd:\work\sample1.p12',ORBclientCertificatePassword =abc"

rc = myconnect.connecttoserver( )

Configuration step required for Web Forms and Web services

For mutual authentication, PowerBuilder .NET Web Forms applications and .NET Web services that are clients for EAServer require that the ASPNET account on the IIS server have access to the private key of the client certificate. Access to the private key of the server certificate is not required.

Use the Windows HTTP Services Certificate Configuration Tool (WinHttpCertCfg.exe) to configure client certificates. You can download this tool from the Microsoft Download Center.

To grant access rights to the private key of the client certificate for the ASPNET account on the IIS server, type the following commands at a command prompt:

cd C:\Program Files\Windows Resource Kits\Tools
WinHttpCertCfg -g -c LOCAL_MACHINE\MY -s "ABC" -a "ASPNET"

These commands assume that the tool is installed in the default location at C:\Program Files\Windows Resource Kits\Tools and that the client certificate's subject name is “ABC”. The -s argument is equivalent to the Issued To field in the MMC. The ASPNET account is valid for XP computers. You should use the “NetworkService” account for other Windows platforms. For the -c argument, always use “LOCAL_MACHINE\MY” rather than the actual name of the local computer.

For more information about the configuration tool’s options, type WinHttpCertCfg -help at the command prompt. For more information about installing client certificates for Web applications and services, see the Microsoft Help and Support site.