ace-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r930425 - in /websites/staging/ace/trunk/content: ./ docs/using-basic-auth.html docs/using-client-certificates.html
Date Tue, 25 Nov 2014 11:18:13 GMT
Author: buildbot
Date: Tue Nov 25 11:18:13 2014
New Revision: 930425

Log:
Staging update by buildbot for ace

Modified:
    websites/staging/ace/trunk/content/   (props changed)
    websites/staging/ace/trunk/content/docs/using-basic-auth.html
    websites/staging/ace/trunk/content/docs/using-client-certificates.html

Propchange: websites/staging/ace/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Tue Nov 25 11:18:13 2014
@@ -1 +1 @@
-1641569
+1641576

Modified: websites/staging/ace/trunk/content/docs/using-basic-auth.html
==============================================================================
--- websites/staging/ace/trunk/content/docs/using-basic-auth.html (original)
+++ websites/staging/ace/trunk/content/docs/using-basic-auth.html Tue Nov 25 11:18:13 2014
@@ -1,7 +1,7 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html lang="en">
   <head>
-    <title>ACE Authentication</title>
+    <title>ACE authentication guide</title>
     <meta http-equiv="Content-Type" content="text/html;charset=UTF-8">
     <meta property="og:image" content="//www.apache.org/images/asf_logo.gif" />
     <link href="/css/bootstrap.min.css" rel="stylesheet" media="screen">
@@ -99,22 +99,11 @@
     </div>
     <div class="container">
       <p><a href="/"><i class='icon-home'></i> Home</a>&nbsp;&raquo&nbsp;<a
href="/docs/">Docs</a></p>
-      <h1>ACE Authentication</h1>
+      <h1>ACE authentication guide</h1>
       <div class="clear"></div>
-      <div id="content"><p>When provisioning software (partly) to targets, one
has to rely upon the trustworthiness
-of both the network and the target. Even if everything is under your control and
-governance, one cannot entirely be sure that unwanted access takes place. A first step in
-order to prevent unwanted access is <em>authentication</em>, which gives you
the ability to
-verify the identity of someone. Once the identity is known, one can apply <em>authorization</em>
-in order to determine what actions are allowed and which are not.  In this article, the
-recently added authentication layer of ACE is explained in more depth and how to configure
-authentication to your situation.</p>
-<p>More details on the design of the authentication mechanism in ACE can be found in
the
-<a href="/docs/design/authentication-design.mdtext">design documentation</a>.</p>
-<h2 id="table-of-contents">Table of contents</h2>
-<div class="toc">
+      <div id="content"><div class="toc">
 <ul>
-<li><a href="#table-of-contents">Table of contents</a></li>
+<li><a href="#introduction">Introduction</a></li>
 <li><a href="#configuring-authentication">Configuring authentication</a><ul>
 <li><a href="#remote-services">Remote services</a></li>
 <li><a href="#the-connection-factory">The connection factory</a></li>
@@ -125,6 +114,17 @@ authentication to your situation.</p>
 <li><a href="#troubleshooting">Troubleshooting</a></li>
 </ul>
 </div>
+<h2 id="introduction">Introduction</h2>
+<p>When provisioning software (partly) to targets, one has to rely upon the trustworthiness
+of both the network and the target. Even if everything is under your control and
+governance, one cannot entirely be sure that unwanted access takes place. A first step in
+order to prevent unwanted access is <em>authentication</em>, which gives you
the ability to
+verify the identity of someone. Once the identity is known, one can apply <em>authorization</em>
+in order to determine what actions are allowed and which are not.  In this article, the
+recently added authentication layer of ACE is explained in more depth and how to configure
+authentication to your situation.</p>
+<p>More details on the design of the authentication mechanism in ACE can be found in
the
+<a href="/docs/design/authentication-design.mdtext">design documentation</a>.</p>
 <h2 id="configuring-authentication">Configuring authentication</h2>
 <p>By default, ACE has no form of authentication enabled. While this is sufficient
for
 demonstration purposes, you might want to change this prior to putting ACE into

Modified: websites/staging/ace/trunk/content/docs/using-client-certificates.html
==============================================================================
--- websites/staging/ace/trunk/content/docs/using-client-certificates.html (original)
+++ websites/staging/ace/trunk/content/docs/using-client-certificates.html Tue Nov 25 11:18:13
2014
@@ -101,9 +101,7 @@
       <p><a href="/"><i class='icon-home'></i> Home</a>&nbsp;&raquo&nbsp;<a
href="/docs/">Docs</a></p>
       <h1>Using client certificate authentication</h1>
       <div class="clear"></div>
-      <div id="content"><p><em>Using two-way SSL as authentication mechanism
in ACE</em></p>
-<p>Revision 1.0, last updated: May 2nd, 2012.</p>
-<div class="toc">
+      <div id="content"><div class="toc">
 <ul>
 <li><a href="#introduction">Introduction</a></li>
 <li><a href="#outline">Outline</a></li>
@@ -112,42 +110,73 @@
 </ul>
 </li>
 <li><a href="#faq">FAQ</a></li>
-<li><a href="#references">References</a></li>
-<li><a href="#notes">Notes</a></li>
 </ul>
 </div>
 <h2 id="introduction">Introduction</h2>
-<p>One-way SSL authentication is used to let a client verify the identity of the server
it is communicating with. The server itself does not verify the identity of the client. In
two-way SSL authentication, a client first verifies the identity of the server after which
the server identifies the client. This way, the identity of both the client and server can
be established allowing a trust relation to be created.<br />
-This article describes how to configure the ACE server and the management agent(s) in such
way that they use two-way SSL authentication. The remainder of this article assumes the reader
has basic knowledge of the principles behind ACE, and has basic knowledge about creating and
using certificates. For this article, the latest code of ACE (0.8.1-SNAPSHOT, rev.1332609)
was used.</p>
+<p>One-way SSL authentication is used to let a client verify the identity of the server
it is
+communicating with. The server itself does not verify the identity of the client. In
+two-way SSL authentication, a client first verifies the identity of the server after which
+the server identifies the client. This way, the identity of both the client and server can
+be established allowing a trust relation to be created.</p>
+<p>This article describes how to configure the ACE server and the management agent(s)
in such
+way that they use two-way SSL authentication. The remainder of this article assumes the
+reader has basic knowledge of the principles behind ACE, and has basic knowledge about
+creating and using certificates. </p>
 <h2 id="outline">Outline</h2>
-<p>As described in detail in [1], there are multiple communication paths that can (and
need) to be secured. For two-way SSL authentication, several scenarios can be identified:</p>
+<p>As described in detail in the <a href="/docs/design/authentication-design.html">authentication
design
+documentation</a>, there are multiple communication
+paths that can (and need) to be secured. For two-way SSL authentication, several scenarios
+can be identified:</p>
 <ol>
-<li>only the communication between management agent and ACE server is secured by means
of two-way SSL. This implies that there is only  a trust relation between management agent
and ACE server, but the other clients that make use of the ACE server have no trust relation
(i.e., they still communicate by means of one-way SSL or might not even use SSL at all);</li>
-<li>all the communication paths for the ACE server are secured by means of two-way
SSL. This means that not only a trust relation exists between management agent and ACE server,
but also between, for example, the web-UI and the ACE server or the REST-API and the ACE server<sup
id="fnref:1"><a class="footnote-ref" href="#fn:1" rel="footnote">1</a></sup>.</li>
+<li>only the communication between management agent and ACE server is secured by means
of
+   two-way SSL. This implies that there is only a trust relation between management agent
+   and ACE server, but the other clients that make use of the ACE server have no trust
+   relation (i.e., they still communicate by means of one-way SSL or might not even use
+   SSL at all);</li>
+<li>all the communication paths for the ACE server are secured by means of two-way
SSL.
+   This means that not only a trust relation exists between management agent and ACE
+   server, but also between, for example, the web-UI and the ACE server or the REST-API
+   and the ACE server<sup id="fnref:1"><a class="footnote-ref" href="#fn:1" rel="footnote">1</a></sup>.</li>
 </ol>
-<p>In conclusion, we need to configure the trust relation between management agent
and the ACE server, and, optionally, the trust relation between ACE server and other components.</p>
+<p>In conclusion, we need to configure the trust relation between management agent
and the
+ACE server, and, optionally, the trust relation between ACE server and other components.</p>
 <h2 id="configuring-two-way-ssl-authentication">Configuring two-way SSL authentication</h2>
-<p>For two-way SSL authentication, you need two (or more) certificates. These can be
issued either by an official external certificate authority (CA), or by means of a self-signed
CA<sup id="fnref:2"><a class="footnote-ref" href="#fn:2" rel="footnote">2</a></sup>.<br
/>
-The details on how to create a self-signed CA and certificates is well documented on many
places on the Internet, and therefore goes beyond this article. Let's assume we've got the
following:</p>
+<p>For two-way SSL authentication, you need two (or more) certificates. These can be
issued
+either by an official external certificate authority (CA), or by means of a self-signed
+CA<sup id="fnref:2"><a class="footnote-ref" href="#fn:2" rel="footnote">2</a></sup>.</p>
+<p>The details on how to create a self-signed CA and certificates is well documented
on many
+places on the Internet, and therefore goes beyond this article. Let's assume we've got the
+following:</p>
 <ul>
-<li>a self-signed CA whose certificate is added to a Java keystore file, called <tt>truststore</tt>.
This file will be used as <em>truststore</em> for both the management agent and
the ACE server<sup id="fnref:3"><a class="footnote-ref" href="#fn:3" rel="footnote">3</a></sup>;</li>
-<li>a certificate (signed by our self-signed CA) for the management agent, available
in a Java keystore file, called <tt>keystore-ma</tt>;</li>
-<li>a certificate (signed by our self-signed CA) for the ACE server, available in a
Java keystore file, called <tt>keystore-server</tt>.</li>
+<li>a self-signed CA whose certificate is added to a Java keystore file, called
+  <tt>truststore</tt>. This file will be used as <em>truststore</em>
for both the management
+  agent and the ACE server<sup id="fnref:3"><a class="footnote-ref" href="#fn:3"
rel="footnote">3</a></sup>;</li>
+<li>a certificate (signed by our self-signed CA) for the management agent, available
in a
+  Java keystore file, called <tt>keystore-ma</tt>;</li>
+<li>a certificate (signed by our self-signed CA) for the ACE server, available in a
Java
+  keystore file, called <tt>keystore-server</tt>.</li>
 </ul>
-<p>For the management agent, we need to add some system properties in order to let
Java find and use the correct truststore and keystore (see also [2]):</p>
+<p>For the management agent, we need to add some system properties in order to let
Java find
+and use the correct truststore and keystore (see also the <a href="http://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#Customization">JSSE
Reference Guide for JDK
+6</a>)<sup id="fnref:4"><a class="footnote-ref" href="#fn:4" rel="footnote">4</a></sup>:</p>
 <div class="codehilite"><pre><span class="o">[</span>localhost:/<span
class="o">]</span><span class="nv">$ </span>java <span class="se">\</span>
-  -Djavax.net.ssl.trustStore<span class="o">=</span>/path/to/truststore <span
class="se">\</span>
-  -Djavax.net.ssl.trustStorePassword<span class="o">=</span>secret <span class="se">\</span>
-  -Djavax.net.ssl.keyStore<span class="o">=</span>/path/to/keystore-ma <span
class="se">\</span>
-  -Djavax.net.ssl.keyStorePassword<span class="o">=</span>secret <span class="se">\</span>
-  -jar org.apache.ace.launcher-0.8.1-SNAPSHOT.jar <span class="se">\</span>
-  <span class="nv">discovery</span><span class="o">=</span>https://10.0.1.16:8443
<span class="se">\</span>
-  <span class="nv">identification</span><span class="o">=</span>MyTarget
+  -Dagent.identification.agentid<span class="o">=</span>MyTarget <span class="se">\</span>
+  -Dagent.discovery.serverurls<span class="o">=</span>https://10.0.1.16:8443
<span class="se">\</span>
+  -Dagent.connection.authtype<span class="o">=</span>CLIENTCERT <span class="se">\</span>
+  -Dagent.connection.sslProtocol<span class="o">=</span>TLS <span class="se">\</span>
+  -Dagent.connection.keyfile<span class="o">=</span>/path/to/keystore <span
class="se">\</span>
+  -Dagent.connection.keypass<span class="o">=</span>secret <span class="se">\</span>
+  -Dagent.connection.trustfile<span class="o">=</span>/path/to/truststore <span
class="se">\</span>
+  -Dagent.connection.trustpass<span class="o">=</span>secret <span class="se">\</span>
+  -jar target.jar
 </pre></div>
 
 
-<p><em>Note to double check the paths to both files, as there will not be printed
any error in case one of them points to an incorrect file!</em></p>
-<p>For the ACE server, the configuration is provided by means of a property-file called
<tt>platform.properties</tt>. Similar to the management agent, we should add some
additional properties to it:</p>
+<p><em>Note to double check the paths to both files, as there will not be printed
any error in
+case one of them points to an incorrect file!</em></p>
+<p>For the ACE server, the configuration is provided by means of a property-file called
+<tt>platform.properties</tt>. Similar to the management agent, we should add
some
+additional properties to it:</p>
 <div class="codehilite"><pre><span class="na">-Dorg.osgi.service.http.port.secure</span><span
class="o">=</span><span class="s">8443</span>
 <span class="na">-Dorg.apache.felix.https.enable</span><span class="o">=</span><span
class="s">true</span>
 <span class="na">-Dorg.apache.felix.https.truststore</span><span class="o">=</span><span
class="s">/path/to/truststore</span>
@@ -158,8 +187,13 @@ The details on how to create a self-sign
 </pre></div>
 
 
-<p>This will not only ensure that the Jetty container inside ACE will obtain the correct
keystore and truststore and start a listener on port <tt>8443</tt>, but also mandates
that all clients <strong>must</strong> provide a certificate upon connecting (as
denoted by the last property). Without this, clients that do not offer a certificate will
simply be accepted as well, hence resulting in only one-way SSL authentication.  </p>
-<p>In order to secure all internal communication paths as well, we need to specify
some additional properties in <tt>platform.properties</tt>:</p>
+<p>This will not only ensure that the Jetty container inside ACE will obtain the correct
+keystore and truststore and start a listener on port <tt>8443</tt>, but also
mandates that
+all clients <strong>must</strong> provide a certificate upon connecting (as denoted
by the last
+property). Without this, clients that do not offer a certificate will simply be accepted
+as well, hence resulting in only one-way SSL authentication.</p>
+<p>In order to secure all internal communication paths as well, we need to specify
some
+additional properties in <tt>platform.properties</tt>:</p>
 <div class="codehilite"><pre><span class="na">-Djavax.net.ssl.keyStore</span><span
class="o">=</span><span class="s">/path/to/keystore-server</span>
 <span class="na">-Djavax.net.ssl.keyStorePassword</span><span class="o">=</span><span
class="s">secret</span>
 <span class="na">-Djavax.net.ssl.trustStore</span><span class="o">=</span><span
class="s">/path/to/truststore</span>
@@ -167,8 +201,10 @@ The details on how to create a self-sign
 </pre></div>
 
 
-<p>This will ensure that all created HTTPS connections will use the mentioned keystore
and truststore.<br />
-Note that in order to let <strong>all</strong> communication to use HTTPS, you
need to modify the configuration files of ACE (as found in the <tt>conf</tt> directory)
to mention this, for example, the <tt>org.apache.ace.webui.vaadin.cfg</tt> file
would look like:</p>
+<p>This will ensure that all created HTTPS connections will use the mentioned keystore
and
+truststore.  Note that in order to let <strong>all</strong> communication to
use HTTPS, you need to
+modify the configuration files of ACE (as found in the <tt>conf</tt> directory)
to mention
+this, for example, the <tt>org.apache.ace.webui.vaadin.cfg</tt> file would look
like:</p>
 <div class="codehilite"><pre><span class="c"># The endpoint of the Vaadin
UI</span>
 <span class="na">org.apache.ace.server.servlet.endpoint</span> <span class="o">=</span>
<span class="s">/ace</span>
 <span class="c"># Vaadin UI settings</span>
@@ -182,9 +218,18 @@ Note that in order to let <strong>all</s
 </pre></div>
 
 
-<p>Alternatively, one could also provide a keystore with a <em>different</em>
certificate for securing the internal communication as well. The only thing needed is to change
the <tt>javax.net.ssl.keyStore</tt> property to let it point to another keystore
file.</p>
+<p>Alternatively, one could also provide a keystore with a <em>different</em>
certificate for
+securing the internal communication as well. The only thing needed is to change the
+<tt>javax.net.ssl.keyStore</tt> property to let it point to another keystore
file.</p>
 <h3 id="using-multiple-different-keystores">Using multiple different keystores</h3>
-<p>So far, we only used the "standard" Java functionality to secure the communication
paths with two-way SSL authentication. While this works for most use cases, one can think
of more sophisticated scenario's in which multiple trust relations between different hosts
have to be created. For example, when the OBR of ACE runs on a different host, secured with
its own certificate. In order to support this use case, we can leverage the authentication
framework of ACE by providing it configurations for all URLs that need their own keystore
and/or truststore. In our OBR example, we could supply the following configuration to the
<tt>ConnectionFactory</tt>:</p>
+<p>So far, we only used the "standard" Java functionality to secure the communication
paths
+with two-way SSL authentication. While this works for most use cases, one can think of
+more sophisticated scenario's in which multiple trust relations between different hosts
+have to be created. For example, when the OBR of ACE runs on a different host, secured
+with its own certificate. In order to support this use case, we can leverage the
+authentication framework of ACE by providing it configurations for all URLs that need
+their own keystore and/or truststore. In our OBR example, we could supply the following
+configuration to the <tt>ConnectionFactory</tt>:</p>
 <div class="codehilite"><pre><span class="na">authentication.baseURL</span>
<span class="o">=</span> <span class="s">https://10.0.1.17:8443/obr/</span>
 <span class="na">authentication.type</span> <span class="o">=</span>
<span class="s">client_cert</span>
 <span class="c"># optional: use a specific keystore for this URL</span>
@@ -196,36 +241,54 @@ Note that in order to let <strong>all</s
 </pre></div>
 
 
-<p>Different configurations can be supplied for different URLs, allowing many different
trust relations to be established.</p>
-<p>Be sure that in order to let ACE correctly map certificates to users, you need to
install the <tt>ClientCertAuthenticationProcessor</tt> as additional authentication
processor! </p>
+<p>Different configurations can be supplied for different URLs, allowing many different
trust
+relations to be established.</p>
+<p>Be sure that in order to let ACE correctly map certificates to users, you need to
install
+the <tt>ClientCertAuthenticationProcessor</tt> as additional authentication processor!
</p>
 <h2 id="faq">FAQ</h2>
 <dl>
 <dt>How should I name the certificates?</dt>
-<dd>One should use the hostname of the calling side as common name (CN) of the certificate's
distinguished name (DN), for example, <tt>CN=localhost</tt> or <tt>CN=10.0.1.16</tt>;</dd>
+<dd>One should use the hostname of the calling side as common name (CN) of the certificate's
+distinguished name (DN), for example, <tt>CN=localhost</tt> or <tt>CN=10.0.1.16</tt>;</dd>
 <dt>How should I name the users that are authenticated through certificates?</dt>
-<dd>The user should have the same name as the common name of the certificate, for example,
<tt>localhost</tt> or <tt>10.0.1.16</tt>;</dd>
+<dd>The user should have the same name as the common name of the certificate, for example,
+<tt>localhost</tt> or <tt>10.0.1.16</tt>;</dd>
 <dt>I've enabled two-way SSL authentication, but it doesn't work!</dt>
-<dd>There can be many reasons for this, like, can the truststore and keystore files
be loaded (<em>no warnings or errors will be printed for this!</em>), or, is the
name of the certificate matching the name of the host, or …? In general, if it doesn't
work, one should enable SSL-debugging in Java by adding <tt>-Djavax.net.debug=ssl</tt>
as system property. This will print <em>lots</em> of information about the keystore
and truststore, the communication itself as well as detailed error messages. Also, the authentication
parts in ACE provide lots of debugging information, logged at <tt>DEBUG</tt> level.</dd>
+<dd>There can be many reasons for this, like, can the truststore and keystore files
be
+loaded (<em>no warnings or errors will be printed for this!</em>), or, is the
name of the
+certificate matching the name of the host, or …? In general, if it doesn't work, one
+should enable SSL-debugging in Java by adding <tt>-Djavax.net.debug=ssl</tt>
as system
+property. This will print <em>lots</em> of information about the keystore and
truststore, the
+communication itself as well as detailed error messages. Also, the authentication parts in
+ACE provide lots of debugging information, logged at <tt>DEBUG</tt> level.</dd>
 <dt>What if my target runs on a machine with a dynamic IP address? Can I still use
client certificates for authentication?</dt>
-<dd>Not directly. Java uses the common name of the certificate and <em>assumes</em>
this to be a valid, resolvable, hostname. If not, it will fail to accept the certificate as
being valid. In the near future, ACE should <a href="https://issues.apache.org/jira/browse/ACE-271">support
this functionality</a>.</dd>
+<dd>Not directly. Java uses the common name of the certificate and <em>assumes</em>
this to be a
+valid, resolvable, hostname. If not, it will fail to accept the certificate as being
+valid. In the near future, ACE should <a href="https://issues.apache.org/jira/browse/ACE-271">support
this
+functionality</a>.</dd>
 </dl>
-<h2 id="references">References</h2>
-<ol>
-<li>Developer documentation on <a href="/docs/ace-authentication.html">ACE Authentication</a>;</li>
-<li><a href="http://docs.oracle.com/javase/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#Customization">JSSE
Reference Guide for JDK 5.0</a>;</li>
-</ol>
-<h2 id="notes">Notes</h2>
 <div class="footnote">
 <hr />
 <ol>
 <li id="fn:1">
-<p>One can argue whether this is strictly necessary for <strong>all</strong>
internal communication paths, as we will see later on, one can configure which paths use two-way
SSL authentication and which paths do not.&#160;<a class="footnote-backref" href="#fnref:1"
rev="footnote" title="Jump back to footnote 1 in the text">&#8617;</a></p>
+<p>One can argue whether this is strictly necessary for <strong>all</strong>
internal communication
+paths, as we will see later on, one can configure which paths use two-way SSL
+authentication and which paths do not.&#160;<a class="footnote-backref" href="#fnref:1"
rev="footnote" title="Jump back to footnote 1 in the text">&#8617;</a></p>
 </li>
 <li id="fn:2">
-<p>Using a self-signed CA for two-way SSL authentication is not that much of a problem
as one needs to make the certificate of the client available to the server, and the other
way around. When both certificates are signed by the same CA, and both sides also trust this
self-signed CA, the trust relation between client and server can be established as well.&#160;<a
class="footnote-backref" href="#fnref:2" rev="footnote" title="Jump back to footnote 2 in
the text">&#8617;</a></p>
+<p>Using a self-signed CA for two-way SSL authentication is not that much of a problem
+as one needs to make the certificate of the client available to the server, and the other
+way around. When both certificates are signed by the same CA, and both sides also trust
+this self-signed CA, the trust relation between client and server can be established as
+well.&#160;<a class="footnote-backref" href="#fnref:2" rev="footnote" title="Jump
back to footnote 2 in the text">&#8617;</a></p>
 </li>
 <li id="fn:3">
-<p>Based on the certificate in the truststore, each side will be able to validate the
certificate of the other side.&#160;<a class="footnote-backref" href="#fnref:3" rev="footnote"
title="Jump back to footnote 3 in the text">&#8617;</a></p>
+<p>Based on the certificate in the truststore, each side will be able to validate the
+certificate of the other side.&#160;<a class="footnote-backref" href="#fnref:3" rev="footnote"
title="Jump back to footnote 3 in the text">&#8617;</a></p>
+</li>
+<li id="fn:4">
+<p>You probably do not want to specify the credentials using the commandline, see also
+<a href="https://issues.apache.org/jira/browse/ACE-496">ACE-496</a>.&#160;<a
class="footnote-backref" href="#fnref:4" rev="footnote" title="Jump back to footnote 4 in
the text">&#8617;</a></p>
 </li>
 </ol>
 </div></div>



Mime
View raw message