Setting Up 2-Way SSL Authentication
Mutual authentication with SSL provides the Knox gateway with the means to establish a strong trust relationship with another party. This is especially useful when applications that act on behalf of end-users send requests to Knox.
While this feature does establish an authenticated trust relationship with the client application, it does not determine the end-user identity through this authentication. It will continue to look for credentials or tokens that represent the end-user within the request and authenticate or federate the identity accordingly.
To configure your Knox Gateway for 2-way SSL authentication, you must first configure the
trust related elements within gateway-site.xml file. The table below lists the different
elements that you can configure related to 2-way mutual authentication. Use following
cURL command to request a directory listing from HDFS while passing in the expected
header SM_USER, note that the example is specific to sandbox:
Once you have configured the
Name | Description | Possible Values | Default Value |
---|---|---|---|
gateway.client.auth.needed | Flag used to specify whether authentication is required for client communications to the server. | TRUE/FALSE | FALSE |
gateway.truststore.path | The fully-qualified path to the truststore that will be used. | gateway.jks | |
gateway.truststore.type | The type of keystore used for the truststore. | JKS | |
gateway.trust.allcerts | Flag used to specify whether certificates passed by the client should be automatically trusted. | TRUE/FALSE | FALSE |
ssl.include.ciphers | A comma separated list of ciphers to accept for SSL. | See the “JSSE Provider docs>The SunJSSE Provider >Cipher Suites” for possible ciphers. These can also contain regular expressions as shown in the “Jetty documentation”. | |
ssl.exclude.ciphers | A comma separated list of ciphers to reject for SSL. | See the “JSSE Provider docs>The SunJSSE Provider >Cipher Suites” for possible ciphers. These can also contain regular expressions as shown in the “Jetty documentation”. |
gateway-site.xml
file, all
topologies deployed within the Knox gateway with mutual authentication enabled will
require all incoming connections to present trusted client certificates during the SSL
handshake process; otherwise, the server will be refuse the connection request.