cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Community Tip - Want the oppurtunity to discuss enhancements to PTC products? Join a working group! X

Client certificate authentication using EMS on Raspberry Pi

aricci
1-Newbie
1-Newbie
‎Jun 01, 2017 09:24 AM
‎Jun 01, 2017 09:24 AM

Client certificate authentication using EMS on Raspberry Pi

Can someone assist me in reviewing my client auth settings?

- I set up tomcat to perform a client auth,

- I have a client certificate and referenced it within the config.json however it appears that the EMS is passing some other certificate other than mine. which appears to be a default certificate from thingworx which is not in the defined config file.  The reference keystore only contains my client certificate.

If I try to connect to foundation server with a browser, I am prompted correctly and am able to authenticate to composer.

config.json:

{

  "ws_servers": [{

  "host": "XXXXXXXX",

  "port": 8443

  }],

  "appKey": "XXXXXX",

      "certificates": {

      "validate": true,

      "client_cert": "/home/pi/ems/microserver/keystore/client.cer",

      "cert_chain": [ "/home/pi/ems/microserver/keystore/CA.cer" ],

      "key_file":  "/home/pi/ems/microserver/keystore/keyenc.pem",

      "key_passphrase": "XXXXXX"

  },

  "http_server":  {

  "host": "127.0.0.1",

  "port": 9080

  },

     "logger":   {

         "level":    "TRACE"

     },

     "auto_bind":    [{

             "name": "RedPi",

             "gateway":  false

         }],

     "ws_connection":    {

         "encryption":   "SSL",

         "verbose":  true,

         "msg_timeout":  1000

    }

}

This is from wireshark, this is the certificate that is being passed to the server as the client certificate with my request:

(id-at-commonName=MicroServer,id-at-organizationalUnitName=Edge,id-at-organizationName=ThingWorx,id-at-localityName=Exton,id-at-stateOrProvinceName=Pennsylvania,id-at-countryName=US)

Labels:
0 Kudos
Notify Moderator
1 REPLY 1
aricci
1-Newbie
1-Newbie
(To:aricci)
‎Jun 01, 2017 10:52 AM
‎Jun 01, 2017 10:52 AM

Ok, based on the Edge MicroServer documentation, I need the WSEMS-fips download.  How can I get that.  I signed up and have a basic account.  The only download link I can find is within the RASPBERRY QUICKSTART.  Any assistance would be great.

"Two versions of the WS EMS distribution are available. One has a built-in AxTLS library for secure connections. The other provides the OpenSSL toolkit and FIPS module and has -fips in the name of the distribution file.

It is important to note that the AxTLS library does not support client authentication when it is used in a client-side application (i.e., for an edge device).

It does support it when used in a server-side application. If you require client authentication for the WS EMS, you must use the WS EMS distribution that contains the OpenSSL libraries instead of the one with the AxTLS library. The currently supported version of OpenSSL is 1.0.1h. The use of OpenSSL with the WS EMS works on Windows platforms only at this time. It does not work on Linux platforms."

0 Kudos
Notify Moderator
Top Tags