HACP & HATS User Group - Group home

TLS Client Authentication in HACP EE

  

Abstract

To prevent any potential security violation while establishing a connection with the server during a TLS handshake, a Client authentication is carried out before the actual data is transmitted in the TLS session. The client presents its certificate to authenticate itself during the TLS handshake to determine if a valid client is connecting to the server. The path to the client certificate is provided while configuring the session properties in the Deployment wizard or while establishing a connection to the session.

 

Description

The following options are used to decide how Client Authentication is handled:

  • Send Certificate: Enables Client Authentication. If it is selected, a certificate request pop-up displays while connecting to a session. If it is No and the server requests a client certificate, the server is told that no client certificate is available, and the user is not prompted.
  • Enable Key Usage: A key requirement for any solution is that the client is able to automatically recognize and utilize the correct authentication certificate.
  • Key Usage: This button opens a popup to display all the defined Object ID (OID) key usages. The following tabs are available:
    1. Key Usage: User can choose which bits must be set in the Key Usage certificate extension, for a client certificate to be eligible for use in a client authentication session.
    2. Extended Key Usage: The user can choose which bits must be set in the Extended Key Usage certificate extension, for a client certificate to be eligible for use in a client authentication session.
    3. Custom Key Usage: The user can add/delete more descriptions and OID pairs. 
  • How often to prompt: This drop-down box allows Users to control the frequency of prompts for client certificates.
    1. First time: Prompts the client the first time a connection is made for that session.
    2. On each connection: Prompts the client each time a connection is made to the server.
    3. Only once for each certificate: Prompts the client the first time a connection is made. (A client with multiple sessions set to this option receives only one prompt despite the number of sessions started if the same certificate applies to those sessions. However, If a connection attempt fails, the client receives another prompt.)

 

  • Certificate request pop-up: This pop-up allows Users to present the client certificate, password and choose how often to prompt. When client authentication is enabled, this pop-up is displayed before a session starts.

Author:
Divya V