Setting Up 2-Way SSL Authentication
Mutual authentication with SSL provides the Knox gateway with the means to establish a strong trust relationship with another party. This is especially useful when applications that act on behalf of end-users send requests to Knox.
While this feature does establish an authenticated trust relationship with the client application, it does not determine the end-user identity through this authentication. It will continue to look for credentials or tokens that represent the end-user within the request and authenticate or federate the identity accordingly.
|Name||Description||Possible Values||Default Value|
|gateway.client.auth.needed||Flag used to specify whether authentication is required for client communications to the server.||TRUE/FALSE||FALSE|
|gateway.truststore.path||The fully-qualified path to the truststore that will be used.||gateway.jks|
|gateway.truststore.type||The type of keystore used for the truststore.||JKS|
|gateway.trust.allcerts||Flag used to specify whether certificates passed by the client should be automatically trusted.||TRUE/FALSE||FALSE|
|ssl.include.ciphers||A comma separated list of ciphers to accept for SSL.||See the “JSSE Provider docs>The SunJSSE Provider >Cipher Suites” for possible ciphers. These can also contain regular expressions as shown in the “Jetty documentation”.|
|ssl.exclude.ciphers||A comma separated list of ciphers to reject for SSL.||See the “JSSE Provider docs>The SunJSSE Provider >Cipher Suites” for possible ciphers. These can also contain regular expressions as shown in the “Jetty documentation”.|
gateway-site.xmlfile, all topologies deployed within the Knox gateway with mutual authentication enabled will require all incoming connections to present trusted client certificates during the SSL handshake process; otherwise, the server will be refuse the connection request.