when I start the web ui of the Opal server a browser dialog appears to choose a certificate to authenticate as a user. I do not plan to make use of this authentification method and will only use user name and password as an authentification method. Since the dialog does not appear on the opal demo serverhttps://opal-demo.obiba.org/ I wam wondering how this authentification method can be deactivated.
To be clear about the dialog: It is a dialog opened by Firefox or Chrome like this.
I was able to reproduce the issue with both server and client locally on my Windows machine by using the docker-compose file proposed in the docs. Thus I do not think the reason is to be found in my organization since no organizational proxies etc were used.
I think what happens here is that the opal server sends a CertificateRequest to the client. Since I have installed personal certificates in the Window certificate store, the browser asks me to select one to authenticate. The dialog does not appear when I remove these certificates. I like to stress that I do not use the installed certificates for authentication with opal (or another service).
A call of the command openssl s_client -connect localhost:8843 -state shows the following SSL_connect-messages:
CONNECTED(00000194)
SSL_connect:before SSL initialization
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS read server hello
SSL_connect:SSLv3/TLS read server certificate
SSL_connect:SSLv3/TLS read server key exchange
SSL_connect:SSLv3/TLS read server certificate request
SSL_connect:SSLv3/TLS read server done
SSL_connect:SSLv3/TLS write client certificate
SSL_connect:SSLv3/TLS write client key exchange
SSL_connect:SSLv3/TLS write change cipher spec
SSL_connect:SSLv3/TLS write finished
SSL_connect:SSLv3/TLS write finished
SSL_connect:SSLv3/TLS read change cipher spec
SSL_connect:SSLv3/TLS read finished
The italic line and the preceding lines are e.g. not present when making the same call against opal-demo.obiba.org:443.
I assume, that this issue is also the reason that I can’t use dataSHIELD while I have installed certificates since curl fails while trying to establish the connection. Maybe this is connected to the issue 127 on the github page of the r package curl. When I remove the certificates (which are not supposed to be used anyways) I can connect to my opal server.
Ok, I see. Yes, opal does support 2-way ssl authentication, but there is currently no way to disable this feature. This feature is most interesting when using a command line tool such as R or Python; it is not very convenient to use this auth procedure in the browser. As opal-demo uses the default settings (from latest docker image), there is still something specific to your environment that makes this happen. Have you added a user in opal with certificate authentication?
I did use the the yml-file as it is listed in the docs, deleted all volumes to be sure not to use old installation data and changed nothing else. I also tested with the same yml-file on a new windows machine on which a client certificate was installed: same result.
I did not change anything in the settings and used the administrator account
But still there is something different. What does that mean when you say a “windows machine on which a client certificate was installed”? What this client certificate is for?
I meant by this phrase that a personal certificates was present in the Windows certificte store. The certificte was meant for other purposes and had nothing to do with Opal/DataSHIELD. I did not change any config of the Opal server.
opal-demo is behind a reverse proxy (apache) that does not forward the client certificate to opal. Your browser automatically sends a certificate when connecting to opal, which initiates the 2-way SSL protocol. This protocol tells opal to encrypt responses with the provided certificate and then your browser is asking for the private key to decrypt these responses. You will not be authenticated (because you do not use the certificate-based auth), nevertheless the 2-way SSL process has been triggered.
I have added a config flag org.obiba.opal.ssl.credentials which default is true. By setting false it should disable the SSL trust manager, then no cert-based auth will be possible, but you should not get annoyed anymore. This setting is to be added in the OPAL_HOME/opal-config.properties file. You can have a try with the docker image obiba/opal:snapshot.
Thank you and sorry for the late answer.
I just tested buy using the image obiba/opal:snapshot
and adding the line org.obiba.opal.ssl.credentials=false to the file /srv/conf/opal-config.properties.
Unfortuntelly, I do not see changes in the behavior regarding client cert-based auth.