Configuration of mutual TLS authentication

Edge Flow Manager (EFM) supports mutual TLS (mTLS) authentication in which the client provides the EFM server with a client certificate as part of the TLS handshake, and the client certificate provides the identity of the client. Learn about the properties that you need to set for configuring mTLS.

EFM requires using mTLS for MiNiFi agent authentication as described in Agent authentication, and optionally offers using this form of authentication for end users as well. For example, web browsers support loading client certificates that can be passed to a web server when using a web application.

For service accounts, such as those that programatically interact with the EFM RESTful API for automation or monitoring purpose, mutual TLS authentication must be used, and can be enabled in addition to another mechanism such as one of the SSO login options.

Before configuring mTLS authentication, EFM should already be configured to use TLS. For more information on enabling TLS in EFM, see TLS configuration for EFM.

To enable mTLS authentication in EFM, set the following property in the efm.properties file:
efm.security.user.certificate.enabled=true

Again, this can be enabled simultaneously with another method of authentication, such as OIDC or SAML SSO, in the case that RESTful API service accounts use mTLS but web users login with SSO using username and password credentials.

EFM trusts client certificates signed by a Certificate Authority (CA) or intermediate authority present in the EFM truststore. For information on generating certificates, see TLS keys and certificates. For more information about configuring the EFM truststore, see TLS configuration for EFM.

When a client authenticates using mTLS, the client certificate DN is the user identity. For example, CN=monitoring-service, OU=systems, O=cloudera. Therefore, an admin must add a user with an identity equal to the client certificate DN in order to grant this type of user access to parts of EFM. For more information on creating users and assigning policies, see Access control policies.

Here is an example of accessing the EFM RESTful API using curl when mTLS authentication is enabled:
curl  \
  --cacert /path/to/ca-trust-cert.pem \
  --cert /path/to/user-cert.pem \
  --key /path/to/user-key.pem \
  --pass password \
  https://localhost:10090/efm/api/access

# JSON response
{"identity":" CN=user, OU=systems, O=cloudera","anonymous":false,"globalPermissions":{"accessAdministration":false}}