SSL/TLS Peer Authentication

Owned by Former user (Deleted)
Last updated: Feb 20, 2023 by Stonebranch
4 min read

Overview

The SSL/TLS protocol utilizes X.509 certificates to perform peer authentication. For example, a Universal Command Manager may want to authenticate that it is connected to the correct Universal Broker.

Peer authentication is performed by either one or both of the programs involved in the network session. If a Manager wants to authenticate the Broker to which it connects, the Broker will send its certificate to the Manager for the Manager to authenticate. If the Broker wants to authenticate the Manager, the Manager sends its certificate to the Broker.

Certificate authentication is performed in the following steps:

  1. Check that the peer certificate is issued by a trusted CA.
  2. Check that the certificate has not been revoked by the CA.
  3. Check that the certificate identifies the intended peer.

If a step fails, the network session is terminated immediately.

Certificate Verification

The Universal Agent component must be configured with a list of trusted CA certificates. When a peer certificate is received, the trusted CA certificates are used to verify that the peer certificate is issued by one of the trusted CA's.

The trusted CA certificate list must be properly secured so that only authorized accounts have update access to the list. Should the trusted CA list become compromised, there is a possibility that an untrusted CA certificate was added to the list.

The CA certificate list configuration option is CA_CERTIFICATES. It specifies a PEM-formatted file that contains one or more CA certificates used for verification.

Should a peer certificate not be signed by a trusted CA, the session is immediately terminated.

Certificate Revocation

After a certificate is verified to have come from a trusted CA, the next step is to check if the CA has revoked the certificate. Since a certificate is held by the entity for which it identifies, a CA cannot take a certificate back after it is issued. So if a CA needs to revoke a certificate for some reason, it issues a list of revoked certificates referred to as the Certificate Revocation List (CRL). A program that validates certificates must have access to the latest CRL issued by the CA.

The CERTIFICATE_REVOCATION_LIST configuration option specifies the PEM-formatted file that contains the CRL. This option is available in all Universal Agent components that utilize certificates.

Certificate Identification

After a certificate is validated as being issued by a trusted CA, and has not been revoked by the CA, the next step is to check that it identifies the intended peer.

A Universal Agent Manager validates a Broker certificate by the Broker host name, IP address, or the certificate serial number. The VERIFY_HOST_NAME configuration option is used to specify the host name or IP address that is identified in the Broker certificate. Each certificate signed by a CA must have a unique serial number for that CA. The VERIFY_SERIAL_NUMBER option is used to specify the serial number in the Broker certificate.

If certificate identification fails, the session is immediately terminated.

Universal Brokers work differently than the Managers. A Broker maps a peer certificate to a certificate ID. The certificate map definitions are part of the Universal Access Control List (UACL) definitions. At that point, the certificate ID is used by UACL definitions to control access to Broker and Server services.

Certificate Support

Many certificate authority applications, also known as Public Key Infrastructure (PKI) applications, are available. Universal Agent should be able to utilize any certificate in a PEM-formatted file. PEM (Privacy Enhanced Mail) is a common text file format used for certificates, private keys, and CA lists.

Universal Agent support X.509 version 1 and version 3 certificates.

Although implementing a fully featured PKI infrastructure is beyond the scope of Universal Agent and this documentation, some assistance is provided using the OpenSSL toolkit.

Universal Agent on most of the supported platforms utilize the OpenSSL toolkit for its SSL/TLS and certificate implementation. OpenSSL is delivered on most UNIX distributions and Windows distributions and also is available on the OpenSSL website.

Universal Agent supports z/OS System SSL on the IBM z/OS operating system as well as OpenSSL. System SSL interfaces directly with the RACF security product for certificate access. All certificates, CA and user certificates, and private keys must be stored in the RACF database to use System SSL.

The Universal Agent suite includes an X.509 certificate utility, Universal Certificate, to create certificates for use in the Universal Agent suite.

Sample Set-up for Universal Command Peer Authentication of Universal Broker

Step 1

Create a Self-Signed CA Request:
 
ucert -create request -request_file ca_req.pem -private_key_file ca_pkey.pem -country US -state GA -locality Alpharetta -organization Stonebranch -common_name Stonebranch

Step 2

Create a CA Certificate:
 
ucert -create cert -request_file ca_req.pem -private_key_file ca_pkey.pem -cert_file ca_cert.pem -ca yes -not_after_date +3650

Step 3

Create a Server Certificate Request:
 
ucert -create request -request_file ubr1_req.pem -private_key_file ubr1_pkey.pem -country US -state GA -locality Alpharetta -organization Stonebranch -common_name "l64agent"

Step 4

Create a Server Certificate:
 
ucert -create cert -ca_cert_file ca_cert.pem -request_file ubr1_req.pem -private_key_file ca_pkey.pem -cert_file ubr1_cert.pem -not_after_date +3650

Step 5

The following files are generated in Steps 1 - 4:

  • CA PKEY = ca_pkey.pem
  • CA CERT = ca_cert.pem
  • Server PKEY = ubr1_pkey.pem
  • Server CERT = ubr1_cert.pem

Step 6

Add Server CERT and PKEY to the target ubroker.conf:

  • certificate /home/test/ubr1_cert.pem
  • private_key /home/test/ubr1_pkey.pem

Step 7

Copy ca_cert.pem to the source server.

Step 8

Run the following command from the source server to test:
 
/opt/universal/bin/ucmd -host l64agent -userid test -pwd xxx -cmd "pwd" -level info -verify_host_name yes -ca_certs /home/test/ca_cert.pem

Step 9

Use Universal Certificate to print the certificate and verify the certificate serial number:
 
ucert -print cert -cert_file ubr1_cert.pem
 
See Certificate, below.

Step 10

Run following command from the source server to test:
 
/opt/universal/bin/ucmd -host l64agent -userid test -pwd xxx -cmd "pwd" -level info -verify_host_name yes -ca_certs /home/test/ca_cert.pem -verify_serial_number 0x28c91a7fb2f26649

Certificate