Setting Up 2-Way SSL Authentication
Mutual authentication with SSL provides the Knox gateway with the means to establish a strong trust relationship with another party. This is especially useful when applications that act on behalf of end-users send requests to Knox. While this feature does establish an authenticated trust relationship with the client application, it does not determine the end-user identity through this authentication. It will continue to look for credentials or tokens that represent the end-user within the request and authenticate or federate the identity accordingly.
To configure your Knox Gateway for 2-way SSL authentication, you must first configure the trust related elements within gateway-site.xml file. The table below lists the different elements that you can configure related to 2-way mutual authentication.Use following cURL command to request a directory listing from HDFS while passing in the expected header SM_USER, note that the example is specific to sandbox:
Table 2.22. gateway-site.xml Configuration Elements
Name | Description | Possible Values | Default Value |
---|---|---|---|
gateway.client.auth.needed | Flag used to specify whether authentication is required for client communications to the server. | TRUE/FALSE | FALSE |
gateway.truststore.path | The fully-qualified path to the truststore that will be used. | gateway.jks | |
gateway.truststore.type | The type of keystore used for the truststore. | JKS | |
gateway.trust.allcerts | Flag used to specify whether certificates passed by the client should be automatically trusted. | TRUE/FALSE | FALSE |
Once you have configured the gateway-site.xml
file, all
topologies deployed within the Knox gateway with mutual authentication enabled will
require all incoming connections to present trusted client certificates during the SSL
handshake process; otherwise, the server will be refuse the connection request.