Help using SSL with REST service and basic_OERealm authentic

Posted by dhubbuck on 14-Jan-2014 08:40

Hi

I have been investigating the various methods of authentication when using Tomcat and the OE REST services.  I managed to get a customised version of the OEHybridRealm working using an appserver to authenticate users against tables within our database.  This all worked fine.

The next step was to make use of SSL so I decided to configure SSL on Tomcat and on the Appserver using my own self-signed certificate and the Progress supplied default_server certificate.  I can get each part working individualy with SSL.  Eg Tomcat works with SSL and the Appserver works with SSL but when using the basic_oorealm spring security model I hit issues.

I have changed the following OERealmUserDetails properties:

            <b:property name="realmURL" value="AppServerS://localhost:5162/restbroker1" />

            <b:property name="realmClass" value="OpenEdge.Security.Realm.OERealmSM2" />

Is the nohostverify property getting in the way?

Maybe I'm being over the with SSL on both Tomcat and the Appserver.  Has anyone tried this kind of setup?

Thanks

Dale

 

 

OpenEdge Deployment - Forum

All Replies

Posted by David Cleary on 14-Jan-2014 10:17

Host verification could very well be the issue since SSL will verify the host name against the certificate by default. Others may be able to help you with that. However, I just wanted to point out Digest authentication mode with the OE Hybrid realm. This will ensure the password is never sent over the wire and can be used instead of SSL.

Posted by dhubbuck on 14-Jan-2014 15:31

Hi Dave

Thanks for the reply.  I have changed the realmPwdAlg property to 1 to make use of the digest mode.  The OE Hybrid class contains a method with a signature to handle the userid, digest, nonce and timestamp.

I get the following message in the log file for the REST service. Bad authentication method.  It's fine if I change the realmPwdAlg back to 0.

Do I need to add more parameters within the basic_oerealm.xml file to configure the digest authentication mode ?

Thanks

Posted by Michael Jacobs on 15-Jan-2014 15:27

The password algorithm ID is:

  0    clear-text

  3    HTTP Digest

We know the SSL connection for OERealm needs some enhancements to be simpler to use.  It is on our list.

Note: The Digest method does require that your AppServer ABL code has access to the account's clear-text password.

Posted by dhubbuck on 16-Jan-2014 04:43

Thanks.  Changing the password algorithm worked.  Does the documentation need changing or is 1 only used for BPM?

For testing we will store our own encrypted password that we can decrypt to build a comparison digest with.

Thanks for the info

This thread is closed