Advanced Security: Two-Way Authentication in SBM Composer

over 6 years ago

Composer has long supported secure communication with the Application Repository with the Use secure connection option on the Repository tab of the SBM Composer Options dialog. When you use this setting, you can be sure the server you are connecting to is the server you expect it to be, and all subsequent communications between Composer and the server are encrypted to ensure privacy.

While this prevents a so-called man-in-the-middle attack and the client is assured that the server is authentic, the reverse is not true.  The only thing that ensures that the client is who it claims to be is the username and password sent to the server.

Two-Way Authentication

In highly secure environments, the Application Repository needs to know not only that the user connecting to it is who they claim to be, but that the client machine on which Composer is installed is authenticated as legitimate. To address this requirement, in SBM 10.1.4 we added support for 2-way authentication in Composer, whereby the server can prevent any machine from connecting to it unless it is already trusted.

Two-way authentication is a mechanism where the client machine (Composer) uses its own certificate containing a private key to digitally sign (encrypt) a certificate that it sends to the server.  The server has the corresponding public certificate installed, and uses it to decrypt the client certificate, proving that the client is who it claims to be (since no-one else can encrypt a message that can be decrypted by the public certificate key.)

Setting up two-way authentication is somewhat involved, requiring changes to both the client and the server machines.  It is a relatively unusual use case, with most customers not wanting or needing it. And it is a one-time configuration for the both client and server. Because we didn't want to expose the ordinary Composer user to any more complexity than absolutely required, options related to two-way authentication are completely hidden unless specific steps are taken.

Enabling Two-Way Authentication in Composer

You can use a command line option on the Composer executable to bring up the Client Certificate Administration for SBM Composer dialog box.  Open a command prompt, navigate to the folder containing Serena.Studio.Shell.Application.exe (by default /Program Files/Serena/SBM/Composer) and launch the application with the /ClientSideSSLSetup flag as follows:

Serena.Studio.Shell.Application  /ClientSideSSLSetup

This brings up a special configuration dialog:

The main purpose of this dialog is to designate one or more self-signed certificates in your login's personal certificate store as available for use as a client-side certificate for two-way authentication on the Repository tab of the Composer Settings dialog.  To simplify matters for the administrator setting this up, it also supports commands to create new certificates, delete existing ones, and import and export certificates from your local certificate store.  (Note that this dialog is changed for  A new tab has been added for Smart Card authentication support.)

Of course, for this to work, you must make sure the server side has SSL enabled and the public certificate corresponding to the private self-signed certificate installed on it.  See the SBM Configurator help for details on how to do this.

Using Two-Way Authentication

Once you (or someone responsible for security) has set up two-way authentication on both the Composer and Application Repository machines, you're ready to connect using a client-side certificate.  If there is at least one certificate set up to be available in Composer, the Client certificate drop down list will appear in the Repository Connection Settings section of the Repository tab in the SBM Composer Options dialog (FILE->Composer Options).  When you check the Uses secure connections option, the drop down list will become enabled, letting you pick which certificate to use with the selected repository machine. 

Of course, if you've only got one client certificate designated for use in Composer, this will be the only option available to you.  If more than one is available, you'll just need to pick a certificate which has a corresponding certificate installed on the server.

If you enjoyed reading this blog entry, please subscribe to my blog by clicking the 'subscribe to updates from author' link below.


Comment List
Related Discussions