Hadoop Security Guide
Also available as:
PDF
loading table of contents...

Setting Up 2-Way SSL Authentication

Mutual authentication with SSL provides the Knox gateway with the means to establish a strong trust relationship with another party. This is especially useful when applications that act on behalf of end-users send requests to Knox. While this feature does establish an authenticated trust relationship with the client application, it does not determine the end-user identity through this authentication. It will continue to look for credentials or tokens that represent the end-user within the request and authenticate or federate the identity accordingly.

To configure your Knox Gateway for 2-way SSL authentication, you must first configure the trust related elements within gateway-site.xml file. The table below lists the different elements that you can configure related to 2-way mutual authentication.Use following cURL command to request a directory listing from HDFS while passing in the expected header SM_USER, note that the example is specific to sandbox:

Table 2.22. gateway-site.xml Configuration Elements

NameDescriptionPossible ValuesDefault Value
gateway.client.auth.neededFlag used to specify whether authentication is required for client communications to the server.TRUE/FALSEFALSE
gateway.truststore.pathThe fully-qualified path to the truststore that will be used. gateway.jks
gateway.truststore.typeThe type of keystore used for the truststore. JKS
gateway.trust.allcertsFlag used to specify whether certificates passed by the client should be automatically trusted.TRUE/FALSEFALSE


Once you have configured the gateway-site.xml file, all topologies deployed within the Knox gateway with mutual authentication enabled will require all incoming connections to present trusted client certificates during the SSL handshake process; otherwise, the server will be refuse the connection request.