[
https://issues.apache.org/jira/browse/KNOX-504?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14322033#comment-14322033
]
Larry McCay edited comment on KNOX-504 at 2/15/15 3:58 PM:
-----------------------------------------------------------
By configuring the need for client authentication in gateway.xml with
gateway.client.auth.needed, all topologies in the gateway instance will require
mutual authentication.
By only indicating that it is needed with gateway.client.auth.needed, the
\{GATEWAY_HOME\}/data/security/keystores/gateway.jks keystore is used. This is
the identity keystore for the server and can also be used as the truststore.
In addition, we can specify the path to a dedicated truststore via
gateway.truststore.path. If the truststore password is different from the
gateway master secret then it can be set using the knoxcli.sh create-alias
gateway-truststore-password --value {pwd} - otherwise, the master secret will
be used.
If the truststore is not a JKS type then it can be set via
gateway.truststore.type.
This feature needs to be documented in the users guide.
was (Author: lmccay):
By configuring the need for client authentication in gateway.xml with
gateway.client.auth.needed, all topologies in the gateway instance will require
mutual authentication.
By only indicating that it is needed with gateway.client.auth.needed, the
{GATEWAY_HOME}/data/security/keystores/gateway.jks keystore is used. This is
the identity keystore for the server and can also be used as the truststore.
In addition, we can specify the path to a dedicated truststore via
gateway.truststore.path. If the truststore password is different from the
gateway master secret then it can be set using the knoxcli.sh create-alias
gateway-truststore-password --value {pwd} - otherwise, the master secret will
be used.
If the truststore is not a JKS type then it can be set via
gateway.truststore.type.
This feature needs to be documented in the users guide.
> Enable SSL Mutual Authentication
> --------------------------------
>
> Key: KNOX-504
> URL: https://issues.apache.org/jira/browse/KNOX-504
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
> Reporter: Larry McCay
> Assignee: Larry McCay
> Fix For: 0.6.0
>
>
> To establish a stronger trust relationship between client and server, we need
> to allow mutual auth with SSL via client certs. This is particularly useful
> in providing additional validation for Preauthenticated SSO with HTTP
> Headers. Rather than just ip address validation, connections will only be
> accepted from clients presenting trusted certificates.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
