Setting Up 2-Way SSL Authentication
Mutual authentication with SSL provides the Knox gateway with the means to establish a strong trust relationship with another party. This is especially useful when applications that act on behalf of end-users send requests to Knox. While this feature does establish an authenticated trust relationship with the client application, it does not determine the end-user identity through this authentication. It will continue to look for credentials or tokens that represent the end-user within the request and authenticate or federate the identity accordingly.
To configure your Knox Gateway for 2-way SSL authentication, you must first configure the trust related elements within gateway-site.xml file. The table below lists the different elements that you can configure related to 2-way mutual authentication.Use following cURL command to request a directory listing from HDFS while passing in the expected header SM_USER, note that the example is specific to sandbox:
Table 2.24. gateway-site.xml Configuration Elements
Name | Description | Possible Values | Default Value |
---|---|---|---|
gateway.client.auth.needed | Flag used to specify whether authentication is required for client communications to the server. | TRUE/FALSE | FALSE |
gateway.truststore.path | The fully-qualified path to the truststore that will be used. | gateway.jks | |
gateway.truststore.type | The type of keystore used for the truststore. | JKS | |
gateway.trust.allcerts | Flag used to specify whether certificates passed by the client should be automatically trusted. | TRUE/FALSE | FALSE |
ssl.include.ciphers | A comma separated list of ciphers to accept for SSL. | See the JSSE Provider docs>The SunJSSE Provider >Cipher Suites for possible ciphers. These can also contain regular expressions as shown in the Jetty documentation. | |
ssl.exclude.ciphers | A comma separated list of ciphers to reject for SSL. | See the JSSE Provider docs>The SunJSSE Provider >Cipher Suites for possible ciphers. These can also contain regular expressions as shown in the Jetty documentation. |
Once you have configured the gateway-site.xml
file,
all topologies deployed within the Knox gateway with mutual authentication
enabled will require all incoming connections to present trusted client
certificates during the SSL handshake process; otherwise, the server will be
refuse the connection request.