TLS Connection
Establishing a TLS connection
Before sending the HTTP request built in the previous chapter, a secure communication channel has to be established, guaranteeing both that all data is passed encrypted and that the client (your application) and server (running the Web Service API) can be sure of communicating with each other and no one else.
Please note, that only TLS secured communication over standard HTTPS TCP port 443 is accepted.
Both are achieved by establishing a TLS connection with the client and server exchanging certificates.
A certificate identifies a communication party uniquely.
Basically, this process works as follows:
- TLS: The client requests access to www.ipg-online.com
- TLS: The server presents its certificate to the client
- TLS: The client verifies the server’s certificate (optional)
- TLS: The server asks the client for a client certificate
- TLS: The client sends its certificate to the server
- TLS: The server verifies the client’s credentials
- TLS: If successful, the server establishes TLS tunnel to www.ipg-online.com and all the data
exchanged between parties is encrypted. - HTTP: Start HTTP and request the URL part: /ipgapi/services […]
Following this process, your application has to do two things: First, start the communication by sending its client certificate. Second, verify the received server certificate. How this is accomplished differs from platform to platform. However, in order to illustrate the basic concepts, the PHP and ASP scripts started in the previous chapter will be continued by extending them with the relevant statements necessary for setting up a TLS connection.
PHP
Building on the script started in the previous chapter, the parameters which are necessary for establishing an TLS connection with cURL are set in the following statements:
<?php
...
// telling cURL to verify the server certificate:
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 1);
// setting the path where cURL can find the certificate to verify the
// received server certificate against:
curl_setopt($ch, CURLOPT_CAINFO, "C:\certs\tlstrust.pem");
// setting the path where cURL can find the client certificate:
curl_setopt($ch, CURLOPT_SSLCERT, "C:\certs\WS101._.007.pem");
// setting the path where cURL can find the client certificate’s
// private key:
curl_setopt($ch, CURLOPT_SSLKEY, "C:\certs\WS101._.007.key");
// setting the key password:
curl_setopt($ch, CURLOPT_SSLKEYPASSWD, "ckp_1193927132");
...
?>
Please note that this script is extended in the next chapter by the statements doing the actual HTTP request.
Using the cURL Command Line Tool
Building on the script started in the previous chapter, the statements which initialize the TLS parameters passed to the cURL command line tool are as follows:
<?php
...
// setting the path where cURL can find the certificate to verify the
// received server certificate against:
$serverCert = " --cacert C:\certs\tlstrust.pem";
// setting the path where cURL can find the client certificate:
$clientCert = " --cert C:\certs\WS101._.007.pem";
// setting the path where cURL can find the client certificate’s
// private key:
$clientKey = " --key C:\certs\WS101._.007.key";
// setting the key password:
$keyPW = " --pass ckp_1193927132";
...
?>
Please note that this script is extended in the next chapter by the statements doing the actual HTTP request.
ASP
For making the above TLS initialization process work, ASP requires both the client and the server certificate to be present in certificate stores.
In other words, before ASP can communicate via TLS, both certificates have to be installed first. The following steps which assume ASP running on Microsoft IIS 5.1 under Windows XP, will guide you through this set up process:
1. Click Start, click Run..., type mmc and click OK. |
2. Open the File menu, select Add/Remove Snap-In. |
3. Click Add. |
4. Under Snap-In choose Certificates and click Add. |
5. You will be prompted to select the account for which you want to manage the certificates. Since IIS uses the computer account, choose Computer Account and click Next. |
6. Choose Local Computer _and click Finish_. |
7. Click Close and then OK. |
8. Expand the Certificates (Local Computer) tree - the client certificate will be installed in the Personal folder. |
9. Therefore, right click the Certificates folder, select All Tasks, click Import... – this will open the Certificate Import Wizard. |
10. Click Next. Choose your client certificate p12 file and click Next. |
11. Provide the client certificate installation password and click Next. |
12. Select Place all certificates in the following store and browse for the Personal folder if not yet displayed. Click Next. |
13. Check the displayed settings and click Finish. Your client certificate is now installed in the local computer’s personal certificates store. Here, IIS (running ASP) can lookup the client certificate when communicating with another server via HTTP. |
14. Now, the server certificate has to be installed in the Trusted Root Certification Authorities store. The certificates in this store are used for verification whenever receiving a certificate from a server. That means the Web Service API server certificate has to be installed here. In this way, IIS is able to verify the server certificate received when contacting the Web Service. Therefore, choose Trusted Root Certification Authorities from the Certificates (Local Computer) tree open the sub folder Certificates. |
15. Right click the Certificates folder, select All Tasks, click Import... – this will open the Certificate Import Wizard again. |
16. Click Next. Choose the Trust Anchor PKCS#7 file and click Next. |
17. Select Place all certificates in the following store and browse for the Trusted Root Certification Authorities folder if not yet displayed. You should trust all client certificates listed to establish a trusted connection to the server. Click Next. |
18. Check the displayed settings and click Finish. The server certificate is now installed in the local computer’s trusted certificates store. Here, IIS can lookup the server certificate for verification against the Web Service API server certificate received during the TLS setup process. |
After installing both certificates one could assume that the environment allowing ASP to communicate via TLS is set up. However, there is still one thing which makes the communication fail: IIS – running your ASP – has a Windows user which does not have the necessary rights to access the client certificate private key. Although accessing the private key is not really necessary for establishing the TLS connection to the Gateway, the IIS user needs access rights for running the authentication process in ASP.
For granting rights to a user, Microsoft provides the WinHttpCertCfg.exe tool you can download for free under:
After installing the tool, open a command prompt, switch to the directory where you have installed the tool, and type in the following line for granting access to the IIS user:
winhttpcertcfg -g -c LOCAL_MACHINE\\My -s WS101._.007 -a IWAM_MyMachine
LOCALMACHINE\My determines the key store where the personal certificates for the local machine account are stored. After installing the client certificate in the personal certificates store as described above, the client certificate can be found under this path, so there is no need to provide another path.
WS101._.007 is the name of the client certificate. You have to adapt this name to the name of your client certificate. Therefore, check the name displayed for the client certificate in the mmc console after installing it as described above. Finally, IWAM_MyMachine denotes the IIS user name.
Please note that IIS 5.1 uses IWAM_MachineName by default.
That means if your machine has the name IISServerMachine, the IIS user will be called IWAM_IISServerMachine. Note that other IIS versions might use a different naming scheme.
If you do not know your machine name or IIS user name, check the IIS documentation and contact your administrator.
Now you are ready to use TLS in your ASP code. The code extending the ASP script started in the previous chapter is reduced to only one additional statement which tells WinHTTP which client certificate to send (and where to find it) when contacting the Gateway:
<%@ language="javascript"%>
<html>...<body>
<%
...
// setting the path where the client certificate to send can be found:
request.setClientCertificate("LOCAL_MACHINE\\My\\WS101._.007");
...
%>
</body></html>
Please note that if you use VB Script, the code looks almost the same – however, do not forget to replace the doubled backslashes in the path with single ones (i.e. the path to the certificate would be "LOCALMACHINE\My\WS101..007" instead).
This script is extended in the next chapter by the statements doing the actual HTTP request.
Updated about 2 months ago