Configure Client Verification for TLS

To enable client verification, you must set verify_client=yes in the assignment files of both TLS server and clients, and specify the certificates and public key used for encryption in the TLS client assignment file. You must also specify verify_client_name to configure peer name verification in the TLS server assignment file.

Note:  Client verification is only possible in combination with server verification. Verifying the client but not the server is invalid.

A TLS client can be a shared Uniface Server or a Uniface client application. However, if the Uniface Router and servers are running on the same host and communicating via TCP, only Uniface client applications need their own client certificate, with the Uniface Router acting as the TLS server.

Client certificates are signed by a trusted CA. In the following assignment files, different certificates are used, and they are verified by a trusted CA certificate:

  1. Edit the TLS server assignment file, in this case urouter.asn.

    Set the verify_client=yes and specify the CA certificate file required to verify the client's certificate using the ca_certificate parameter.

    For example:

    ;urouter.asn
[DRIVER_SETTINGS]
USYS$TLS_PARAMS verify_server=yes, %\                   
 server_certificate=D:\certificates\server.crt, %\
 server_key=D:\certificates\server.key, %\
 server_key_password=sk_pa5sWord, %\
 verify_client=yes, verify_client_name=no, %\                       
 ca_certificate=ca_clients.crt, %\                
 
[SERVERS]
default = D:\uniface\common\bin\userver.exe /altnet /dnp=TCP:localhost+13001 /asn=.\server.asn
  2. Edit the TLS client assignment files, in this case myapp.asn:
    1. Set the option verify_client=yes.
    2. Specify the client's peer certificate using the client_certificate parameter, and the key using the client_key parameter. If the key file is password protected, specify the password using the client_key_password option.

      For example: 

      [DRIVER_SETTINGS]
USYS$TLS_PARAMS verify_server=yes, %\
 ca_certificate=ca_server.crt, %\
 verify_client=yes, %\
 client_certificate=D:\certificates\client.crt, %\
 client_key=D:\certificates\client.key, %\
 client_key_password=ck_pas5Word