If mutual authentication is required, the server and client must authenticate each other to ensure that both can be trusted. By default, EAServer 6.x uses 2002 as the port for this type of SSL connection.
Both the server’s certificate and the client’s certificate must be imported into the Microsoft certificate store on the client computer as described in “Server authentication”.
Private key required for client certificate file
The client’s certificate file must include the private
key for the client’s certificate. The server’s
certificate file need not include its private key.
Different certificate required for mutual certification
The server certificate used for mutual authentication cannot
be the same as the certificate used for server-only authentication.
Make sure you obtain the correct certificate file.
For mutual authentication, the client’s certificate file must be imported into the certificate store on the client computer and it must be available in the file system on the client computer, because it is referenced in the PowerScript code required to connect to EAServer.
Two new key/value pairs in the Options property of the Connection object are used for mutual authentication:
ORBclientCertificateFile is used to specify the file name of the client certificate file.
ORBclientCertificatePassword is used to specify the password for the certificate if any. There is no need to use this key if the certificate is not protected by password.
In the PowerScript connection code, change the EAServer host’s address to a URL that begins with “iiops” and ends with the correct SSL port. The following sample code connects to an EAServer host that requires mutual authentication:
Connection myconnect int rc myconnect = create Connection myconnect.Application = "pbtest" myconnect.Driver = "jaguar" myconnect.UserID = "admin@system" myconnect.Password = "sybase" myconnect.Location = "iiops://mydesktop:2002" myconnect.Options = "ORBclientCertificateFile= 'd:\work\sample1.p12',ORBclientCertificatePassword =abc" rc = myconnect.connecttoserver( )
For mutual authentication, PowerBuilder .NET Web Forms applications and .NET Web services that are clients for EAServer require that the ASPNET account on the IIS server have access to the private key of the client certificate. Access to the private key of the server certificate is not required.
Use the Windows HTTP Services Certificate Configuration Tool (WinHttpCertCfg.exe) to configure client certificates. You can download this tool from the Microsoft Download Center.
To grant access rights to the private key of the client certificate for the ASPNET account on the IIS server, type the following commands at a command prompt:
cd C:\Program Files\Windows Resource Kits\Tools WinHttpCertCfg -g -c LOCAL_MACHINE\MY -s "ABC" -a "ASPNET"
These commands assume that the tool is installed in the default
location at C:\Program Files\Windows
Resource Kits\Tools and that the client certificate's subject
name is “ABC”. The -s argument
is equivalent to the Issued To field in the MMC. The ASPNET account
is valid for XP computers. You should use the “NetworkService” account
for other Windows platforms. For the -c argument,
always use “LOCAL_MACHINE\MY” rather
than the actual name of the local computer.
For more information about the configuration tool’s
options, type WinHttpCertCfg -help at
the command prompt. For more information about installing client
certificates for Web applications and services, see the Microsoft Help and Support site.
