WSA + SSL

#1
11.2

Can anyone comment on their experience using SSL/certificates with WSA ... I vaguely recall seeing posts complaining about Progress' lack of &/or non-standard support for this ...

I am almost totally ignorant of SSL, it's always been one of those things our network guys take care of. But they/we have not delved into WSA until now.

I am talking about a Java/Axis client to a Progress WSA (I don't care about the case of a P4GL WS consumer). Any advice appreciated.
 

RealHeavyDude

Well-Known Member
#2
The first SSL handshake takes place between the client and the web server. The second SSL handshake could take place between the web sever and the JSE ( Java Servlet Engine ) which hosts the WSA. There might be further SSL connections defined down the road ( AppServer and database ) too.

During the SSL handshake the server presents its SSL server certificate to the client so that the client is able to proove that the servers identity is the one it pretends to be ( this is done by checking the root certificate issued by a certificate authority which must be stored in the clients certificate store - if it was a Progress client it must reside in the %DLC%\certs directory ).

This is fully supported by any Progress client or server product.

During that SSL handshake the server optionally may request the SSL client certificate from the client. This is not commonly used in the internet ( https://www.amazon.com for example ) because usually the client ( you ) would authenticate with username / password alone ( this is called weak authentication because it is only based on something one knows ). With the SSL client certificate added to the authentication process it becomes a strong authentication ( something you know - the secret to fetch the SSL client certificate for example from the Windows certificate store - and, something you have - the SSL client certificate ).

Progress products do not support the SSL client certificate. Therefore, when a server request a SSL client certificate, a Progress ABL client cannot connect to it due to the lack of supporting the SSL client certificate. Similarly, any Progress server product does not request the SSL client certificate and can't handle one. Therefore you can't use the SSL client certificate for any client ( ODBC, JDBC to the datase or open client like Java or .NET to the AppServer ) connecting to any Progress server.

Bottom line: You can not do strong authentication when either the client or the server is a Progress product.

Coming back to your case: The SSL handshake will be done between the client accessing your web service and the web server. If you never will use a Progress ABL client to access that web service you can very well use the SSL client certificate because every major technology that I know supports it - except Progress.

Regarding SSL itself: This is not done just like that. I would recommend you to get in contact with somebody that knows how to set this all up - especially on the web server.

Heavy Regards, RealHeavyDude.
 
#3
Thanks as always for the exceptional reply.

We have several SSL wizards ... but (a) I am not one of them and (b) WSA is all new to us.

Cheers!
 
Top