Sun Java System Web Server 6.1 SP12 Administrator's Configuration File Reference

get-client-cert

Applicable in PathCheck-class directives.

The get-client-cert function gets the authenticated client certificate from the SSL3 session. It can apply to all HTTP methods, or only to those that match a specified pattern. It only works when SSL is enabled on the server.

If the certificate is present or obtained from the SSL3 session, the function returns REQ_NOACTION, allowing the request to proceed; otherwise, it returns REQ_ABORTED and sets the protocol status to 403 FORBIDDEN, causing the request to fail and the client to be given the FORBIDDEN status.

Parameters

The following table describes parameters for the get-client-cert function.

Table 4–24 get-client-cert Parameters

Parameter  

Description  

dorequest

Controls whether to actually try to get the certificate, or just test for its presence. If dorequest is absent, the default value is 0.

  • 1 tells the function to redo the SSL3 handshake to get a client certificate, if the server does not already have the client certificate. This typically causes the client to present a dialog box to the user to select a client certificate. The server may already have the client certificate if it was requested on the initial handshake, or if a cached SSL session has been resumed.

  • 0 tells the function not to redo the SSL3 handshake if the server does not already have the client certificate.

    If a certificate is obtained from the client and verified successfully by the server, the ASCII base64 encoding of the DER-encoded X.509 certificate is placed in the parameter auth-cert in the Request->vars pblock, and the function returns REQ_PROCEED, allowing the request to proceed.

require

Controls whether failure to get a client certificate will abort the HTTP request. If require is absent, the default value is 1.

  • 1 tells the function to abort the HTTP request if the client certificate is not present after dorequest is handled. In this case, the HTTP status is set to PROTOCOL_FORBIDDEN, and the function returns REQ_ABORTED.

  • 0 tells the function to return REQ_NOACTION if the client certificate is not present after dorequest is handled.

method

(Optional) Specifies a wildcard pattern for the HTTP methods for which the function will be applied. If method is absent, the function is applied to all requests.

bucket

(Optional) Common to all obj.conf functions.

Example

# Get the client certificate from the session. 
# If a certificate is not already associated with the
# session, request one.
# The request fails if the client does not present a 
# valid certificate.PathCheck fn="get-client-cert" dorequest="1"