1 Reply Latest reply on Jun 1, 2017 10:52 AM by aricci RSS
    aricci Newbie

    Client certificate authentication using EMS on Raspberry Pi

    Can someone assist me in reviewing my client auth settings?

    - I set up tomcat to perform a client auth,

    - I have a client certificate and referenced it within the config.json however it appears that the EMS is passing some other certificate other than mine. which appears to be a default certificate from thingworx which is not in the defined config file.  The reference keystore only contains my client certificate.

     

    If I try to connect to foundation server with a browser, I am prompted correctly and am able to authenticate to composer.

     

    config.json:

    {

      "ws_servers": [{

      "host": "XXXXXXXX",

      "port": 8443

      }],

     

      "appKey": "XXXXXX",

          "certificates": {

          "validate": true,

          "client_cert": "/home/pi/ems/microserver/keystore/client.cer",

          "cert_chain": [ "/home/pi/ems/microserver/keystore/CA.cer" ],

          "key_file":  "/home/pi/ems/microserver/keystore/keyenc.pem",

          "key_passphrase": "XXXXXX"

      },

     

      "http_server":  {

      "host": "127.0.0.1",

      "port": 9080

     

      },

         "logger":   {

             "level":    "TRACE"

         },

         "auto_bind":    [{

                 "name": "RedPi",

                 "gateway":  false

             }],

     

         "ws_connection":    {

             "encryption":   "SSL",

             "verbose":  true,

             "msg_timeout":  1000

        }

    }

     

    This is from wireshark, this is the certificate that is being passed to the server as the client certificate with my request:

    (id-at-commonName=MicroServer,id-at-organizationalUnitName=Edge,id-at-organizationName=ThingWorx,id-at-localityName=Exton,id-at-stateOrProvinceName=Pennsylvania,id-at-countryName=US)

      • Re: Client certificate authentication using EMS on Raspberry Pi
        aricci Newbie

        Ok, based on the Edge MicroServer documentation, I need the WSEMS-fips download.  How can I get that.  I signed up and have a basic account.  The only download link I can find is within the RASPBERRY QUICKSTART.  Any assistance would be great.

         

         

        "Two versions of the WS EMS distribution are available. One has a built-in AxTLS library for secure connections. The other provides the OpenSSL toolkit and FIPS module and has -fips in the name of the distribution file.

         

        It is important to note that the AxTLS library does not support client authentication when it is used in a client-side application (i.e., for an edge device).

         

        It does support it when used in a server-side application. If you require client authentication for the WS EMS, you must use the WS EMS distribution that contains the OpenSSL libraries instead of the one with the AxTLS library. The currently supported version of OpenSSL is 1.0.1h. The use of OpenSSL with the WS EMS works on Windows platforms only at this time. It does not work on Linux platforms."