Configuring Proxy with Apache Knox
Also available as:
PDF
loading table of contents...

Setting Up 2-Way SSL Authentication

Mutual authentication with SSL provides the Knox gateway with the means to establish a strong trust relationship with another party. This is especially useful when applications that act on behalf of end-users send requests to Knox.

While this feature does establish an authenticated trust relationship with the client application, it does not determine the end-user identity through this authentication. It will continue to look for credentials or tokens that represent the end-user within the request and authenticate or federate the identity accordingly.

To configure your Knox Gateway for 2-way SSL authentication, you must first configure the trust related elements within gateway-site.xml file. The table below lists the different elements that you can configure related to 2-way mutual authentication. Use following cURL command to request a directory listing from HDFS while passing in the expected header SM_USER, note that the example is specific to sandbox:
Table 1. gateway-site.xml Configuration Elements
Name Description Possible Values Default Value
gateway.client.auth.needed Flag used to specify whether authentication is required for client communications to the server. TRUE/FALSE FALSE
gateway.truststore.path The fully-qualified path to the truststore that will be used. gateway.jks
gateway.truststore.type The type of keystore used for the truststore. JKS
gateway.trust.allcerts Flag used to specify whether certificates passed by the client should be automatically trusted. TRUE/FALSE FALSE
ssl.include.ciphers A comma separated list of ciphers to accept for SSL. See the “JSSE Provider docs>The SunJSSE Provider >Cipher Suites” for possible ciphers. These can also contain regular expressions as shown in the “Jetty documentation”.
ssl.exclude.ciphers A comma separated list of ciphers to reject for SSL. See the “JSSE Provider docs>The SunJSSE Provider >Cipher Suites” for possible ciphers. These can also contain regular expressions as shown in the “Jetty documentation”.
Once you have configured the gateway-site.xml file, all topologies deployed within the Knox gateway with mutual authentication enabled will require all incoming connections to present trusted client certificates during the SSL handshake process; otherwise, the server will be refuse the connection request.