Creating a Lua client certificate authentication module

Edit online

This scenario illustrates how to create a Lua HTTP transformation rule that can be used to authenticate a user by using information found within the client certificate.

About this task

Script
-- IBM Confidential 
-- PID 5725-V89 5725-V90 5737-F02
-- 
-- Copyright IBM Corp. 2023

-- This script is used to test a Lua script which is acting as an EAI to
-- authenticate a user using information obtained from the client
-- certificate.
--
-- In order to use this script:
--   * The transformation rule must be enabled as a postazn rule
--   * EAI authentication must be enabled
--   * The EAI trigger URL must be set to the transformation rule
--     resource
--   * Unauthenticated access must be allowed for the transformation
--     rule resource
--   * The login.html file (or other form) must be set to POST the
--     authentication data to the transformation rule resource.
--   * Create the 38b9a4b2.html error file so that authentication errors
--     can be displayed to the user.

-- Add the serial number as an attribute.
Authentication.setAttribute("serial-number", Client.getCertificateField("SerialNumber"))

-- Set the user identity from the CN
Authentication.setUserIdentity(Client.getCertificateField("SubjectCN"), false)

Procedure

  1. Import and enable the transformation rule by adding the following configuration to the WebSEAL configuration file: 
    [http-transformations]
pkmslogin.lua = cert-eai.lua

[http-transformations:pkmslogin.lua]
request-match = postazn:GET /pkmslogin.lua*
  2. Enable EAI authentication and set up a trigger URL for the transformation resource by adding the following configuration to the WebSEAL configuration file: 
    [eai]
eai-auth = https

[eai-trigger-urls]
trigger = /pkmslogin.lua*
  3. Enable client certificate authentication and signal that Lua based authentication is being used by adding the following configuration to the WebSEAL configuration file: 
    [certificate]
accept-client-certs = optional
eai-uri = %lua-eai%
    Note: For WebSEAL to trust the client certificate, the certificate of the signing CA must be added to the WebSEAL key file.
  4. Enable local response redirect so that login requests are redirected to the /pkmslogin.lua resource: 
    [acnt-mgt]
enable-local-response-redirect = yes

[local-response-redirect]
local-response-redirect-uri = [login] /pkmslogin.lua
  5. Attach an ACL that allows unauthenticated read access to the HTTP transformation resource: /WebSEAL/<server-name>/pkmslogin.lua.
  6. Create the 38b9a4b2.html error file so that a custom error page can be returned to the client when an authentication error occurs.