Servers are able to validate the identity of the client using Client Identity Certificates. Avaya Client SDK Communications Package support builds on concepts outlined in Working with Certificates.
Client Certificates are supported with the following providers:
The Client SDK does not provide validation of Client Certificates, and server validation responses are provided to your application.
Client Identity Certificate is a digital certificate which confirms to the X.509 system. It is used by client systems to prove their identity to the remote server. At the start of a TLS session, the server (if configured to do so) may require the client application to submit a client certificate for authentication. Upon receiving the certificate, the server would then use it to identify the certificate's source and determine whether the client should be allowed access.
Note: Verify that Key Usage field of the certificate has Key Encipherment attribute added. This is required for certificates used for data privacy, for encrypting messages.
Client can provide client identity certificate using two ways:
User manually selects one identity cert from OS trust store: App can pass a client identity certificate from windows MY Personal certificate store (at current user/local machine) to Client SDK. Client SDK has provided an API to set the client certificate from Windows Personal Certificate store. API: SetClientIdentityCertificate
User manually upload a PKCS12 file from local directory into client: App can upload a PKCS12 file from directory location. Client SDK has provided API that securely stores a client identity certificate and a private key to use during mutual authentication. Here App has to pass certificate chain along with private key used for generating the certificate. API:SetClientIdentityCertificateChain(CertificateChain, private key)
Specifies the URL to be used to download a PKCS #12 file containing a client identity certificate and its private key. (PKCS12URL and PKCS12PASSWORD).
LDAP - No (Limitation in client’s 3rd party library)
Unified portal (Default as off, Reason: Guest access can't support the TLS mutual authentication.)
UCCS - No (Limitation in server)
WCS - No(Limitation in server)
Client SDK has provided a property named as CertificateRenewalValue in SecurityPoliyConfiguration.
An integer value specifying the percentage(0 - 100) of certificate's max age after which client should issue a certificate renewal notification. Default value of this parameter is 90%.
This configuration shall be applied to any client identity certificate managed in Client SDK including user manually selected and regardless the source of the identity cert.
When the client certificate passes this interval, Client SDK will pass notification to App that certificate has expired.
If the used certificate will expire within the configured period, Client SDK will notify the App about it right after startup. Next notifications will be sent after 12 hours and it is not configurable.In every notification Client SDK provides nNumberOfDaysToExpire.
IDENTITY_NO_CERTIFICATE: The server rejected the request due to a missing client identity certificate.
IDENTITY_BAD_CERTIFICATE: The server rejected the request due to the identity certificate being corrupt, not having got verified correctly, etc.
IDENTITY_UNSUPPORTED_CERTIFICATE: The server rejected the request due to the identity certificate being of an unsupported type.
IDENTITY_REVOKED_CERTIFICATE: The server rejected the request due to the identity certificate being revoked by its signer.
IDENTITY_EXPIRED_CERTIFICATE: The server rejected the request due to the identity certificate being expired or not yet valid.
IDENTITY_UNKNOWN_CA: The server rejected the request due to the identity certificate being issued by an unknown certificate authority.
INVALID_IDENTITY_CERTIFICATE: Client identity certificate is rejected by the server.
The following code snippet demonstrates how to pass the Certificate Chain to the Client SDK by using CertificateManager.
// Retrieve the client certificate chain from the key store or a keychain
// for the given alias.
List certificateChain =
new List(KeyChain.GetCertificateChain(mContext, alias));
// Retrive an associated RSA private key
AsymmetricAlgorithm PrivateKey = KeyChain.GetPrivateKey(mContext, alias);
// Set both client certificate chain and the private key.
// Catch exceptions in case of errors.
client.CertificateManager.SetClientIdentityCertificateChain(
clientCertificateChain,
privateKey);
// Client certificate has been successfully provisioned.
Use fields of the CertificateManager to obtain Certificate Chain and RSA private key used by the Client SDK.
// Retrieve a complete client certificate chain.
List clientCertificateChain =
client.CertificateManager.ClientIdentityCertificateChain.ToList();
// Retrieve the private key.
AsymmetricAlgorithm privateKey =
client.CertificateManager.ClientIdentityPrivateKey;
You can register your application to receive expiration notifications.
Optionally use the SecurityPolicyConfiguration object to specify the percentage value (of client identity certificate's age) after which the certificate status notifications are issued.
// Create and initialise the Security Policy Configuration
// to use the Private Trust Store.
SecurityPolicyConfiguration securityPolicyConfiguration =
new SecurityPolicyConfiguration();
securityPolicyConfiguration.CertificateRenewalValue = 90;
// Instantiate an application delegate
AppCertificateExpiryDelegate certificateExpiryDelegate =
new AppCertificateExpiryDelegate();
// Set the CertificateExpiryNotification event handler
client.CertificateManager.CertificateExpiryNotification +=
new EventHandler(
certificateExpiryDelegate.onCertificateExpiry);
The Client SDK will notify your application event handler when the identity certificate approaches expiration.
class AppCertificateExpiryDelegate {
void onCertificateExpiry(object sender, CertificateExpiryEventArgs e)
{
// Add your code here. Use the e.NumberOfDaysToExpire and e.Certificate
// fields to provide warning to your user
}
}
// Remove the certificate status event handler
client.CertificateManager.CertificateExpiryNotification -=
new EventHandler(
certificateExpiryDelegate.onCertificateExpiry);
// Delete the client certificate and a private key.
client.CertificateManager.DeleteClientIdentityCertificateChain();
The Client SDK support SCEP to retrieve Identity Certificates. Create the ScepConfiguration object and pass it to the Enroll() method of the CertificateManager object.
ScepConfiguration scepConfiguration = new ScepConfiguration();
// Populate scepConfiguration details.
EnrollmentCredentialProvider enrollmentCredentialProvider = new EnrollmentCredentialProvider(scepConfiguration.CertificateCommonName, scepConfiguration.ChallengePassword);
client.CertificateManager.Enroll(scepConfiguration, enrollmentCredentialProvider,
(chain, privateKey, result) =>
{
// Enroll completion handler
});