Deactivate user authenification with certificate

Dear community,

when I start the web ui of the Opal server a browser dialog appears to choose a certificate to authenticate as a user. I do not plan to make use of this authentification method and will only use user name and password as an authentification method. Since the dialog does not appear on the opal demo server https://opal-demo.obiba.org/ I wam wondering how this authentification method can be deactivated.

Regards

Felix

Hi,

You are not seeing an opal page. Most likely it is your reverse proxy that serves this page, see with your IT department.

Regards
Yannick

Thank you for the response.

To be clear about the dialog: It is a dialog opened by Firefox or Chrome like this.

I was able to reproduce the issue with both server and client locally on my Windows machine by using the docker-compose file proposed in the docs. Thus I do not think the reason is to be found in my organization since no organizational proxies etc were used.

I think what happens here is that the opal server sends a CertificateRequest to the client. Since I have installed personal certificates in the Window certificate store, the browser asks me to select one to authenticate. The dialog does not appear when I remove these certificates. I like to stress that I do not use the installed certificates for authentication with opal (or another service).

A call of the command openssl s_client -connect localhost:8843 -state shows the following SSL_connect-messages:

  • CONNECTED(00000194)
  • SSL_connect:before SSL initialization
  • SSL_connect:SSLv3/TLS write client hello
  • SSL_connect:SSLv3/TLS write client hello
  • SSL_connect:SSLv3/TLS read server hello
  • SSL_connect:SSLv3/TLS read server certificate
  • SSL_connect:SSLv3/TLS read server key exchange
  • SSL_connect:SSLv3/TLS read server certificate request
  • SSL_connect:SSLv3/TLS read server done
  • SSL_connect:SSLv3/TLS write client certificate
  • SSL_connect:SSLv3/TLS write client key exchange
  • SSL_connect:SSLv3/TLS write change cipher spec
  • SSL_connect:SSLv3/TLS write finished
  • SSL_connect:SSLv3/TLS write finished
  • SSL_connect:SSLv3/TLS read change cipher spec
  • SSL_connect:SSLv3/TLS read finished

The italic line and the preceding lines are e.g. not present when making the same call against opal-demo.obiba.org:443.

I assume, that this issue is also the reason that I can’t use dataSHIELD while I have installed certificates since curl fails while trying to establish the connection. Maybe this is connected to the issue 127 on the github page of the r package curl. When I remove the certificates (which are not supposed to be used anyways) I can connect to my opal server.

Ok, I see. Yes, opal does support 2-way ssl authentication, but there is currently no way to disable this feature. This feature is most interesting when using a command line tool such as R or Python; it is not very convenient to use this auth procedure in the browser. As opal-demo uses the default settings (from latest docker image), there is still something specific to your environment that makes this happen. Have you added a user in opal with certificate authentication?

Regards
Yannick

I did use the the yml-file as it is listed in the docs, deleted all volumes to be sure not to use old installation data and changed nothing else. I also tested with the same yml-file on a new windows machine on which a client certificate was installed: same result. I did not change anything in the settings and used the administrator account

But still there is something different. What does that mean when you say a “windows machine on which a client certificate was installed”? What this client certificate is for?

I meant by this phrase that a personal certificates was present in the Windows certificte store. The certificte was meant for other purposes and had nothing to do with Opal/DataSHIELD. I did not change any config of the Opal server.

opal-demo is behind a reverse proxy (apache) that does not forward the client certificate to opal. Your browser automatically sends a certificate when connecting to opal, which initiates the 2-way SSL protocol. This protocol tells opal to encrypt responses with the provided certificate and then your browser is asking for the private key to decrypt these responses. You will not be authenticated (because you do not use the certificate-based auth), nevertheless the 2-way SSL process has been triggered.

I have added a config flag org.obiba.opal.ssl.credentials which default is true. By setting false it should disable the SSL trust manager, then no cert-based auth will be possible, but you should not get annoyed anymore. This setting is to be added in the OPAL_HOME/opal-config.properties file. You can have a try with the docker image obiba/opal:snapshot.

Regards
Yannick

Thank you and sorry for the late answer. I just tested buy using the image obiba/opal:snapshot and adding the line org.obiba.opal.ssl.credentials=false to the file /srv/conf/opal-config.properties. Unfortuntelly, I do not see changes in the behavior regarding client cert-based auth.