Return-Path: X-Original-To: apmail-ace-commits-archive@www.apache.org Delivered-To: apmail-ace-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id D3B75CF37 for ; Wed, 2 May 2012 15:41:42 +0000 (UTC) Received: (qmail 45441 invoked by uid 500); 2 May 2012 15:41:42 -0000 Delivered-To: apmail-ace-commits-archive@ace.apache.org Received: (qmail 45421 invoked by uid 500); 2 May 2012 15:41:42 -0000 Mailing-List: contact commits-help@ace.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@ace.apache.org Delivered-To: mailing list commits@ace.apache.org Received: (qmail 45413 invoked by uid 99); 2 May 2012 15:41:42 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 02 May 2012 15:41:42 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 02 May 2012 15:41:41 +0000 Received: from eris.apache.org (localhost [127.0.0.1]) by eris.apache.org (Postfix) with ESMTP id 3953B238899C for ; Wed, 2 May 2012 15:41:21 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Subject: svn commit: r815453 - in /websites/staging/ace/trunk/content: ./ dev-doc/design/using-client-certificates.html Date: Wed, 02 May 2012 15:41:21 -0000 To: commits@ace.apache.org From: buildbot@apache.org X-Mailer: svnmailer-1.0.8-patched Message-Id: <20120502154121.3953B238899C@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: buildbot Date: Wed May 2 15:41:20 2012 New Revision: 815453 Log: Staging update by buildbot for ace Modified: websites/staging/ace/trunk/content/ (props changed) websites/staging/ace/trunk/content/dev-doc/design/using-client-certificates.html Propchange: websites/staging/ace/trunk/content/ ------------------------------------------------------------------------------ --- cms:source-revision (original) +++ cms:source-revision Wed May 2 15:41:20 2012 @@ -1 +1 @@ -1333075 +1333079 Modified: websites/staging/ace/trunk/content/dev-doc/design/using-client-certificates.html ============================================================================== --- websites/staging/ace/trunk/content/dev-doc/design/using-client-certificates.html (original) +++ websites/staging/ace/trunk/content/dev-doc/design/using-client-certificates.html Wed May 2 15:41:20 2012 @@ -153,7 +153,7 @@

Using client certificate authentication

Using two-way SSL as authentication mechanism in ACE

-

Revision 0.9, last updated: May 2nd, 2012.

+

Revision 1.0, last updated: May 2nd, 2012.

Introduction

-

One-way SSL authentication is used to let a client verify the identity of the server it is communicating with. The server itself does not verify the identity of the client. In two-way SSL authentication, a client first verifies the identity of the server after which the server identifies the client. This way, the identity of both the client and server can be established allowing a trust relation can be created.
+

One-way SSL authentication is used to let a client verify the identity of the server it is communicating with. The server itself does not verify the identity of the client. In two-way SSL authentication, a client first verifies the identity of the server after which the server identifies the client. This way, the identity of both the client and server can be established allowing a trust relation to be created.
This article describes how to configure the ACE server and the management agent(s) in such way that they use two-way SSL authentication. The remainder of this article assumes the reader has basic knowledge of the principles behind ACE, and has basic knowledge about creating and using certificates. For this article, the latest code of ACE (0.8.1-SNAPSHOT, rev.1332609) was used.

Outline

As described in detail in [1], there are multiple communication paths that can (and need) to be secured. For two-way SSL authentication, several scenarios can be identified:

@@ -198,7 +198,7 @@ The details on how to create a self-sign

Note to double check the paths to both files, as there will not be printed any error in case one of them points to an incorrect file!

-

For the ACE server, the configuration is provided by means of a property-file called platform.properties. Similar as the management agent, we should add some additional properties to it:

+

For the ACE server, the configuration is provided by means of a property-file called platform.properties. Similar to the management agent, we should add some additional properties to it:

-Dorg.osgi.service.http.port.secure=8443
 -Dorg.apache.felix.https.enable=true
 -Dorg.apache.felix.https.truststore=/path/to/truststore
@@ -209,7 +209,7 @@ The details on how to create a self-sign
-

This will not only ensure that the Jetty container inside ACE will obtain the correct keystore and truststore and start a listener on port 8443, but also mandates that all clients must provide a certificate upon connecting (as denoted by the last property). Without this, client that do not offer a client certificate will simply be accepted as well, hence resulting in only one-way SSL authentication.
+

This will not only ensure that the Jetty container inside ACE will obtain the correct keystore and truststore and start a listener on port 8443, but also mandates that all clients must provide a certificate upon connecting (as denoted by the last property). Without this, clients that do not offer a certificate will simply be accepted as well, hence resulting in only one-way SSL authentication.

In order to secure all internal communication paths as well, we need to specify some additional properties in platform.properties:

-Djavax.net.ssl.keyStore=/path/to/keystore-server
@@ -258,6 +258,8 @@ Note that in order to let allThe user should have the same name as the common name of the certificate, for example, localhost or 10.0.1.16;
 
I've enabled two-way SSL authentication, but it doesn't work!

 
There can be many reasons for this, like, can the truststore and keystore files be loaded (no warnings or errors will be printed for this!), or, is the name of the certificate matching the name of the host, or …? In general, if it doesn't work, one should enable SSL-debugging in Java by adding -Djavax.net.debug=ssl as system property. This will print lots of information about the keystore and truststore, the communication itself as well as detailed error messages. Also, the authentication parts in ACE provide lots of debugging information, logged at DEBUG level.

+
What if my target runs on a machine with a dynamic IP address? Can I still use client certificates for authentication?

+
Not directly. Java uses the common name of the certificate and assumes this to be a valid, resolvable, hostname. If not, it will fail to accept the certificate as being valid. In the near future, ACE should support this functionality.

 
 
References