Configuring mutual TLS authentication
Edge Flow Manager supports mutual TLS (mTLS) authentication in which the client provides the Edge Flow Manager server with a client certificate as part of the TLS handshake, and the client certificate provides the identity of the client. Learn about the properties that you need to set for configuring mTLS.
Edge Flow Manager requires using mTLS for MiNiFi agent authentication as described in Agent authentication, and optionally offers using this form of authentication for end users as well. For example, web browsers support loading client certificates that can be passed to a web server when using a web application.
For service accounts, such as those that programatically interact with the Edge Flow Manager RESTful API for automation or monitoring purpose, mutual TLS authentication must be used, and can be enabled in addition to another mechanism such as one of the SSO login options.
Before configuring mTLS authentication, Edge Flow Manager should already be configured to use TLS. For more information on enabling TLS in Edge Flow Manager, see TLS configuration for Edge Flow Manager.
efm.properties
file:efm.security.user.certificate.enabled=true
Again, this can be enabled simultaneously with another method of authentication, such as OIDC or SAML SSO, in the case that RESTful API service accounts use mTLS but web users login with SSO using username and password credentials.
Edge Flow Manager trusts client certificates signed by a Certificate Authority (CA) or intermediate authority present in the Edge Flow Manager truststore. For information on generating certificates, see TLS keys and certificates. For more information about configuring the Edge Flow Manager truststore, see TLS configuration for Edge Flow Manager.
When a client authenticates
using mTLS, the client certificate DN is the user identity. For example,
CN=monitoring-service, OU=systems, O=cloudera
. Therefore, an admin must
add a user with an identity equal to the client certificate DN in order to grant this type
of user access to parts of Edge Flow Manager. For more information on
creating users and assigning policies, see Access control policies.
curl
when mTLS authentication is enabled:curl \
--cacert /path/to/ca-trust-cert.pem \
--cert /path/to/user-cert.pem \
--key /path/to/user-key.pem \
--pass password \
https://localhost:10090/efm/api/access
# JSON response
{"identity":" CN=user, OU=systems, O=cloudera","anonymous":false,"globalPermissions":{"accessAdministration":false}}