How to do a client authentification by RPGLE ?

What client software are you using?

IBM Access Client Solutions (ACS) is used.
Authentification should be done by RPGLE, a dedicated application Programm, not for all sessions of the client.

Not sure if I understand the requirement.  I'll start with some assumptions, and you can tell me if I got anything wrong:

Assumptions

1) You have users who log onto their PCs using their Windows Active Directory domain credentials.
2) These users then start ACS, and select a 5250 Session and log in using their IBM i credentials.

Is that right so far?

Then what happens?
And what do you WANT to happen?

Ultimately, once a user logs onto a green-screen session, they are running under that profile.  IBM i resource-level security is then in force and controls what programs the user can and cannot run, what database objects they can access, etc.

If you need to identify the logged-in user from a program, it is very easy:

For example in CL:

DCL &USER *CHAR 10
DCL &CURUSER *CHAR 10
RTVJOBA USER(&JUSER) CURUSR(&CURUSER)

Note that on IBM i there is the concept of the logged-in user, or the job user (the user ID used to start the job), and the current user, since sometimes a program can be created that is allowed to temporarily switch the current user.  Best practice if you write your own code for authority checking is to use the Current User.

In RPG, you can just check the Program Status Data Structure (link to documentation below) for both the job user and current user:

 DCL-DS pgm_stat PSDS;
     jobUser CHAR(10) POS(253);
     currentUser CHAR(10) POS(358);
  END-DS;

https://www.ibm.com/support/knowledgecenter/en/ssw_ibm_i_73/rzasd/psdsdt9.htm

If that doesn't get you what you need, let me know.

Hello Gary,

thanks for your advices so far.
Opening the question,  as „man in the middle“, i got more details from developer :
For user - authentification“  SSL/cerificate should be used.
Client side (ACS) is prepared to respond to certificate-requests from iSeries (API/DCM ?).
Question is : how to verify „certificate-values“  in  application (RPGLE).

I'm going to need a better explanation.  SSL/TLS is most often used to ensure the identity of the host (1 way SSL), but it can be used to identify the client and the host (2 way SSL).  For 2 way SSL, each client system or each user is issued a unique certificate.

In a 5250 application, the certificate exchange and authorization is handled by ACS, not by RPG.

Here is an article that explains how to configure client side SSL certificates in ACS.

https://www-01.ibm.com/support/docview.wss?uid=nas8N1022570

If that isnt what your developer wants, then I dont understand the reference to RPG, or what it is the developer wants to accomplish.  I need more info about the specific application.

Hello Gary,
i have to ask the application developer for more details, as you asked.

Maybe user-certificate values should be checked in RPGLE, after 2 way ssl passed ok,
means : certificate-values are to read in RPGLE (API ?)

Hello Gary,
got this short additional details from application developer :  

we need:
-each user is issued a unique certificate
-we have the Application on iSeries, which use some RPG pgm for one functionality(payment claims).
 Just for this one RPG pgm we need this special verification using certificate on DCM.

Hello Gary,

i think,  this is it, what was requested :  

https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_74/apis/qsylstuc.htm
Thanks !

I overhand this advice to the developer and wait for feedback, what were the reason for these additional efforts to
retrieve certificate values into application program . . . .

Client certificates are stored on the user's PC, and in DCM.
There is no simple way to present the PC certificate to the RPG program for comparison with DCM.  
That is why you use ACS.
ACS is a Windows program, so it can retrieve the client certificate from the PC.
Then, as part of the process of connecting to an SSL-secured IBM i Telnet server, it will securely present the client certificate it to the IBM i Telnet Server.
The Telnet server then validates the certificate against DCM.

To do this yourself, you'll need to create a Windows program that can retrieve the client certificate and securely present it on demand to the RPG program.  Then the RPG program would have to perform certificate validation.

Let's see if I understand the applicative situation.

Based on the limited information so far, I see 2 possible scenarios.
Which one is correct, if any?

1. RPG program as a secure client

* You have a green screen AS400 application.
* One of the RPG programs in you application has to communicate with some kind of a service to handle payment claims.
* For security reasons, the RPG program must use a secure channel for the communication.
* Maybe you want to use individual certificates for user authentication

2. PC secure client to access your RPG application

* You have a green screen application running on the AS400 server that communicates with clients using ACS.
* ACS is not using SSL/TLS
* You want that whenever end users access a specific program, they have to use a secure channel.
* Maybe you want to use individual certificates for user authentication

Scenario 1 caused the question . . .

Thought so..

The answers you got from Gary were all referring to the second scenario, which is the most common use case tbh.
Is the connection from the RPG program to the service to be done over HTTPS?
If the answer is yes, then I strongly recommend that you do not try to integrate it all by yourself, as SSL/TLS management and usage is baffling to the uninitiated.
Go get the GETURI tool  https://docs.bvstools.com/home/geturi/docs - it also has an API and it will be worth it in the time saved.
You will have to create a certificate store in DCM and import all of the end user certificates.
When using GETURI, you can specify which client certificate to use, so obviously you will have to maintain a database of user/certificates.

Hello,
unfortunatelly it is still unclear, what exactly[ is needed .

Again,  i asked back at development,  which Client/Server situation exists and what kind of "user authentification" is wanted. (repeating Gary's/Shaloms questions).  In case of no usefull feedback, i will close the question finally.

Thanks for the clarification.  This is a completely different scenario than what I've outlined until now.  What connection protocol is being used between the RPG program and the remote host?  HTTPS web service (REST, SOAP, or POX?), AS2 over HTTPS, sFTP, FTPs, SCP, etc?

IBM i has good support, for example, for sftp and scp.

HTTPS with two-way SSL/TLS is fairly complicated in RPG.  Of course, you can purchase tools, or use third-party components, but another attractive option from RPG is to script HTTPS interactions using the cURL utilty, which does support two-way SSL/TLS.

Happy to discuss that alternative in more detail if desired.

Hello,
new comment from developer with clarification, what is needed :  

It was my mistake, where I choice the scenario 1 for Shalom Carmel question. Second scenario is correct.


But answer from Gary was before comment:
Client certificates are stored on the user's PC, and in DCM.
There is no simple way to present the PC certificate to the RPG program for comparison with DCM.  
That is why you use ACS.
ACS is a Windows program, so it can retrieve the client certificate from the PC.
Then, as part of the process of connecting to an SSL-secured IBM i Telnet server, it will securely present the client certificate it to the IBM i Telnet Server.
The Telnet server then validates the certificate against DCM.

To do this yourself, you'll need to create a Windows program that can retrieve the client certificate and securely present it on demand to the RPG program.  Then the RPG program would have to perform certificate validation.

My remark for this answer:
This IBM i Telnet authentification(validation between client certificate stored in user‘s PC and in DCM on the server iSeries) is for all client sessions, I don’t need this one.
My question:
Is it not possible this alternative for my validation using user certificate on the side user‘s PC and in DCM using RPGLE API(qsylstuc) from iSeries side?
My idea:
-I use ACS emulator for retrieve the client certificate from the PC(ACS is not using SSL/TLS)
-I log in to my application(green screen application) on iSeries and then I call my „specific RPGLE Pgm“ with using a secure channel. For this step I mean this user authentication: Compare private user certificate from PC(Retrieving using ACS) with user certification in DCM using qsylstuc API. When is comparing ok, then user can continue in next step in RPGLE PGM(for example: claim payment).

-I use ACS emulator for retrieve the client certificate from the PC(ACS is not using SSL/TLS)

ACS has integrated SSL/TLS capabilities, but it doesn't have an interface (at least not one that I'm aware of) that would be visible to an RPG program to retrieve/validate a user certificate from the PC.  Green-screen RPG programs like this typically delegate this type of authentication (and encryption) to ACS - which is sitting in the perfect position in the infrastructure to handle it.  

SSL/TLS mutual authentication is a fairly complex process - it isn't as simple as "look up certificates and compare them" - certificates are validated, and the certificate exchange is done via PKI (client encrypts a token with host's public certificate, host decrypts with private cert and presents back to client to prove it has private cert - and vice-versa).

-I log in to my application(green screen application) on iSeries and then I call my „specific RPGLE Pgm“ with using a secure channel. For this step I mean this user authentication: Compare private user certificate from PC(Retrieving using ACS) with user certification in DCM using qsylstuc API. When is comparing ok, then user can continue in next step in RPGLE PGM(for example: claim payment).

Thanks, that's a good explanation.  

Can you explain the business or compliance requirement that you are trying to solve - because the mechanism you describe isn't a common requirement.  

In most environments, for a user to access this sort of application, they have already been through multiple layers of authentication:

1. They have authenticated with the business Windows domain (or Linux authentication infrastructure) in order to access ACS.
2. They have authenticated to the iSeries with credentials that have access to execute the application in question.
3. If you want to ensure the Windows-to-iSeries connection is secure, you'd typically use TLS to secure the ACS session, and for even more security, you could use mutual TLS with a client certificate to ensure that they only accessed the system from an authorized device.

Ultimately, this type of security is typically enforced at the session level.  ACS is already designed to handle this type of secure connection.  So you don't need to do it in your RPG green-screen application if you can simply trust that an authenticated user has already been required to present a user certificate, and it has been properly validated.

This  request is confusing to me, and I feel like there is something that I am missing.

If you want to add an additional layer of security right at the point of use, then I'd suggest using some sort of multi-factor authentication - like a secure token.  We have a customer using Duo to provide an additional authentication factor for their VPN, and for access to a web portal providing access to a couple of key applications.  

Duo (or similar tools) has an API that could be incorporated into an RPG application very easily.

https://duo.com/docs/authapi

I have the Duo app on my smartphone.  When I want to access the client's system, I am challenged to present a one-time password  from the Duo app on my phone.  I

Hello Gary,
maybe the simple reason, why devolper does not want user-authentification done by ACS, is the need to handle then all accessing user by individual user-certificates  instead  managing only some special user could be easier (if so)
But i am not shure, and i am waiting for developer's comment . .

Developer comment :
Hello,
this direction for my issue is right, what is needed:  Multi-factor authentication.

My question:
Now I know, way for using the user certificate(ACSDCM)| is not correct.
Could you tell me some other „free“ application as DUO app?
Thanks a lot.

Duo is free for up to 10 users.  Plenty of other options, including fusionAuth.io, DynaLogin.org, LinOTP.org, and others.  For the small cost involved ($3/user/month), we prefer to use a provider like Duo, who provides server and authentication infrastructure rather than go to the expense and trouble of setting up and managing our own server, SMS gateway, MFA app, etc.

Here is an example bash script I found that calls the Duo API.  You can run a bash script in PASE on IBM i, and use this directly to perform authentication:

FORM="Content-Type: application/x-www-form-urlencoded"
NOW=$(date -R)

#get these from the Duo Admin interface
INT="<integration key>"
KEY="<secret passcode>"
API="<api host>.duosecurity.com"

URL="/auth/v2/check"
REQ="$NOW\nGET\n$API\n$URL\n"

#could also use awk here, or the --binary mode as suggested elsewhere
HMAC=$(echo -n "$REQ" | openssl sha1 -hmac "$KEY" | cut -d" " -f 2)

AUTH=$(echo -n "$INT:$HMAC" | base64 -w0)

curl -s -H "Date: $NOW" -H $FORM -H "Authorization: Basic $AUTH" https://$API$URL

Hi,

Now I am almost confused :)

Is a certificate needed for MFA? It makes sense that it does.
MFA means that you use more than 1 type of authentication to validate a user. The payment service may already require typing a password, and now it also wants another authentication factor in the form of a client certificate.

Does this describe your situation?

Hello Shalom,
answer to you question will be delayed, because of vacation situation . . .

Sure, No Problem.
You assigned the points to Gary anyway :D
I just want to help..