iTP Secure WebServer System Administrator's Guide (iTPWebSvr 6.0+)
Configuring for Secure Transport
iTP Secure WebServer System Administrator’s Guide—523346-002
4-25
Using the -requireauth Option
Client authentication does not occur unless you specify either the -requestauth or
-requireauth option. Specifying one of these options allows you to use the web client’s
authentication information in Region configuration directives to restrict access to the
iTP Secure WebServer. Client authentication can be set by using the
RequireSecureTransport -auth command or by accessing specific Region variables
and restricting access based on these variables.
After the iTP Secure WebServer requests and receives the web client certificate from
the web client as either an individual certificate or as a certificate chain, it performs the
following steps for client authentication:
1. Builds an internal certificate chain using what the web client has returned (a
certificate for SSL 2.0 or PCT, or a certificate chain for SSL 3.0).
2. Attempts to back-build the internal certificate chain by retrieving issuer certificates
from the certificate database and adding them to the internal certificate chain. The
chain is built until the server either retrieves a certificate that is marked as root
from the database or it cannot find an issuer of a certificate on the chain in the
database.
3. Verifies each certificate in the chain, starting with the leaf, to ensure that the chain
is well-formatted, is in its validity period, follows the Basic Constraints and Key
Usage extensions rules, and has a valid signature that was issued by its successor
in the chain.
4. Stores the results of this verification in the various Tool Command
Language/Common Gateway Interface (Tcl/CGI) variables.
5. Appends the appropriate log messages to the Extended Log File (ELF) entry.
From this point, the server’s action depends on its specific configuration, as shown in
the list of variable settings in Using the -requestauth Option below.
Using the -requireauth Option
When you set the -requireauth option, and the web client supplies an invalid
certificate (for example, if the certificate does not exist, contains an error, is forged or
expired, or is issued by a CA that is unknown to the server), the server always refuses
the connection request from the web client, then logs error messages to the error and
extended log files.
When the web client supplies a valid certificate, the server allows the connection and
sets the HTTPS_CLIENT_STATUS variable to valid. The server also sets all the other
HTTPS_CLIENT Tcl/CGI variables at the same time. For information about these
Tcl/CGI variables, see Passing CGI Environment Variables
on page 8-11.