You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ace.apache.org by bu...@apache.org on 2014/11/25 12:18:13 UTC
svn commit: r930425 - in /websites/staging/ace/trunk/content: ./
docs/using-basic-auth.html docs/using-client-certificates.html
Author: buildbot
Date: Tue Nov 25 11:18:13 2014
New Revision: 930425
Log:
Staging update by buildbot for ace
Modified:
websites/staging/ace/trunk/content/ (props changed)
websites/staging/ace/trunk/content/docs/using-basic-auth.html
websites/staging/ace/trunk/content/docs/using-client-certificates.html
Propchange: websites/staging/ace/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Tue Nov 25 11:18:13 2014
@@ -1 +1 @@
-1641569
+1641576
Modified: websites/staging/ace/trunk/content/docs/using-basic-auth.html
==============================================================================
--- websites/staging/ace/trunk/content/docs/using-basic-auth.html (original)
+++ websites/staging/ace/trunk/content/docs/using-basic-auth.html Tue Nov 25 11:18:13 2014
@@ -1,7 +1,7 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en">
<head>
- <title>ACE Authentication</title>
+ <title>ACE authentication guide</title>
<meta http-equiv="Content-Type" content="text/html;charset=UTF-8">
<meta property="og:image" content="//www.apache.org/images/asf_logo.gif" />
<link href="/css/bootstrap.min.css" rel="stylesheet" media="screen">
@@ -99,22 +99,11 @@
</div>
<div class="container">
<p><a href="/"><i class='icon-home'></i> Home</a> » <a href="/docs/">Docs</a></p>
- <h1>ACE Authentication</h1>
+ <h1>ACE authentication guide</h1>
<div class="clear"></div>
- <div id="content"><p>When provisioning software (partly) to targets, one has to rely upon the trustworthiness
-of both the network and the target. Even if everything is under your control and
-governance, one cannot entirely be sure that unwanted access takes place. A first step in
-order to prevent unwanted access is <em>authentication</em>, which gives you the ability to
-verify the identity of someone. Once the identity is known, one can apply <em>authorization</em>
-in order to determine what actions are allowed and which are not. In this article, the
-recently added authentication layer of ACE is explained in more depth and how to configure
-authentication to your situation.</p>
-<p>More details on the design of the authentication mechanism in ACE can be found in the
-<a href="/docs/design/authentication-design.mdtext">design documentation</a>.</p>
-<h2 id="table-of-contents">Table of contents</h2>
-<div class="toc">
+ <div id="content"><div class="toc">
<ul>
-<li><a href="#table-of-contents">Table of contents</a></li>
+<li><a href="#introduction">Introduction</a></li>
<li><a href="#configuring-authentication">Configuring authentication</a><ul>
<li><a href="#remote-services">Remote services</a></li>
<li><a href="#the-connection-factory">The connection factory</a></li>
@@ -125,6 +114,17 @@ authentication to your situation.</p>
<li><a href="#troubleshooting">Troubleshooting</a></li>
</ul>
</div>
+<h2 id="introduction">Introduction</h2>
+<p>When provisioning software (partly) to targets, one has to rely upon the trustworthiness
+of both the network and the target. Even if everything is under your control and
+governance, one cannot entirely be sure that unwanted access takes place. A first step in
+order to prevent unwanted access is <em>authentication</em>, which gives you the ability to
+verify the identity of someone. Once the identity is known, one can apply <em>authorization</em>
+in order to determine what actions are allowed and which are not. In this article, the
+recently added authentication layer of ACE is explained in more depth and how to configure
+authentication to your situation.</p>
+<p>More details on the design of the authentication mechanism in ACE can be found in the
+<a href="/docs/design/authentication-design.mdtext">design documentation</a>.</p>
<h2 id="configuring-authentication">Configuring authentication</h2>
<p>By default, ACE has no form of authentication enabled. While this is sufficient for
demonstration purposes, you might want to change this prior to putting ACE into
Modified: websites/staging/ace/trunk/content/docs/using-client-certificates.html
==============================================================================
--- websites/staging/ace/trunk/content/docs/using-client-certificates.html (original)
+++ websites/staging/ace/trunk/content/docs/using-client-certificates.html Tue Nov 25 11:18:13 2014
@@ -101,9 +101,7 @@
<p><a href="/"><i class='icon-home'></i> Home</a> » <a href="/docs/">Docs</a></p>
<h1>Using client certificate authentication</h1>
<div class="clear"></div>
- <div id="content"><p><em>Using two-way SSL as authentication mechanism in ACE</em></p>
-<p>Revision 1.0, last updated: May 2nd, 2012.</p>
-<div class="toc">
+ <div id="content"><div class="toc">
<ul>
<li><a href="#introduction">Introduction</a></li>
<li><a href="#outline">Outline</a></li>
@@ -112,42 +110,73 @@
</ul>
</li>
<li><a href="#faq">FAQ</a></li>
-<li><a href="#references">References</a></li>
-<li><a href="#notes">Notes</a></li>
</ul>
</div>
<h2 id="introduction">Introduction</h2>
-<p>One-way SSL authentication is used to let a client verify the identity of the server it is communicating with. The server itself does not verify the identity of the client. In two-way SSL authentication, a client first verifies the identity of the server after which the server identifies the client. This way, the identity of both the client and server can be established allowing a trust relation to be created.<br />
-This article describes how to configure the ACE server and the management agent(s) in such way that they use two-way SSL authentication. The remainder of this article assumes the reader has basic knowledge of the principles behind ACE, and has basic knowledge about creating and using certificates. For this article, the latest code of ACE (0.8.1-SNAPSHOT, rev.1332609) was used.</p>
+<p>One-way SSL authentication is used to let a client verify the identity of the server it is
+communicating with. The server itself does not verify the identity of the client. In
+two-way SSL authentication, a client first verifies the identity of the server after which
+the server identifies the client. This way, the identity of both the client and server can
+be established allowing a trust relation to be created.</p>
+<p>This article describes how to configure the ACE server and the management agent(s) in such
+way that they use two-way SSL authentication. The remainder of this article assumes the
+reader has basic knowledge of the principles behind ACE, and has basic knowledge about
+creating and using certificates. </p>
<h2 id="outline">Outline</h2>
-<p>As described in detail in [1], there are multiple communication paths that can (and need) to be secured. For two-way SSL authentication, several scenarios can be identified:</p>
+<p>As described in detail in the <a href="/docs/design/authentication-design.html">authentication design
+documentation</a>, there are multiple communication
+paths that can (and need) to be secured. For two-way SSL authentication, several scenarios
+can be identified:</p>
<ol>
-<li>only the communication between management agent and ACE server is secured by means of two-way SSL. This implies that there is only a trust relation between management agent and ACE server, but the other clients that make use of the ACE server have no trust relation (i.e., they still communicate by means of one-way SSL or might not even use SSL at all);</li>
-<li>all the communication paths for the ACE server are secured by means of two-way SSL. This means that not only a trust relation exists between management agent and ACE server, but also between, for example, the web-UI and the ACE server or the REST-API and the ACE server<sup id="fnref:1"><a class="footnote-ref" href="#fn:1" rel="footnote">1</a></sup>.</li>
+<li>only the communication between management agent and ACE server is secured by means of
+ two-way SSL. This implies that there is only a trust relation between management agent
+ and ACE server, but the other clients that make use of the ACE server have no trust
+ relation (i.e., they still communicate by means of one-way SSL or might not even use
+ SSL at all);</li>
+<li>all the communication paths for the ACE server are secured by means of two-way SSL.
+ This means that not only a trust relation exists between management agent and ACE
+ server, but also between, for example, the web-UI and the ACE server or the REST-API
+ and the ACE server<sup id="fnref:1"><a class="footnote-ref" href="#fn:1" rel="footnote">1</a></sup>.</li>
</ol>
-<p>In conclusion, we need to configure the trust relation between management agent and the ACE server, and, optionally, the trust relation between ACE server and other components.</p>
+<p>In conclusion, we need to configure the trust relation between management agent and the
+ACE server, and, optionally, the trust relation between ACE server and other components.</p>
<h2 id="configuring-two-way-ssl-authentication">Configuring two-way SSL authentication</h2>
-<p>For two-way SSL authentication, you need two (or more) certificates. These can be issued either by an official external certificate authority (CA), or by means of a self-signed CA<sup id="fnref:2"><a class="footnote-ref" href="#fn:2" rel="footnote">2</a></sup>.<br />
-The details on how to create a self-signed CA and certificates is well documented on many places on the Internet, and therefore goes beyond this article. Let's assume we've got the following:</p>
+<p>For two-way SSL authentication, you need two (or more) certificates. These can be issued
+either by an official external certificate authority (CA), or by means of a self-signed
+CA<sup id="fnref:2"><a class="footnote-ref" href="#fn:2" rel="footnote">2</a></sup>.</p>
+<p>The details on how to create a self-signed CA and certificates is well documented on many
+places on the Internet, and therefore goes beyond this article. Let's assume we've got the
+following:</p>
<ul>
-<li>a self-signed CA whose certificate is added to a Java keystore file, called <tt>truststore</tt>. This file will be used as <em>truststore</em> for both the management agent and the ACE server<sup id="fnref:3"><a class="footnote-ref" href="#fn:3" rel="footnote">3</a></sup>;</li>
-<li>a certificate (signed by our self-signed CA) for the management agent, available in a Java keystore file, called <tt>keystore-ma</tt>;</li>
-<li>a certificate (signed by our self-signed CA) for the ACE server, available in a Java keystore file, called <tt>keystore-server</tt>.</li>
+<li>a self-signed CA whose certificate is added to a Java keystore file, called
+ <tt>truststore</tt>. This file will be used as <em>truststore</em> for both the management
+ agent and the ACE server<sup id="fnref:3"><a class="footnote-ref" href="#fn:3" rel="footnote">3</a></sup>;</li>
+<li>a certificate (signed by our self-signed CA) for the management agent, available in a
+ Java keystore file, called <tt>keystore-ma</tt>;</li>
+<li>a certificate (signed by our self-signed CA) for the ACE server, available in a Java
+ keystore file, called <tt>keystore-server</tt>.</li>
</ul>
-<p>For the management agent, we need to add some system properties in order to let Java find and use the correct truststore and keystore (see also [2]):</p>
+<p>For the management agent, we need to add some system properties in order to let Java find
+and use the correct truststore and keystore (see also the <a href="http://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#Customization">JSSE Reference Guide for JDK
+6</a>)<sup id="fnref:4"><a class="footnote-ref" href="#fn:4" rel="footnote">4</a></sup>:</p>
<div class="codehilite"><pre><span class="o">[</span>localhost:/<span class="o">]</span><span class="nv">$ </span>java <span class="se">\</span>
- -Djavax.net.ssl.trustStore<span class="o">=</span>/path/to/truststore <span class="se">\</span>
- -Djavax.net.ssl.trustStorePassword<span class="o">=</span>secret <span class="se">\</span>
- -Djavax.net.ssl.keyStore<span class="o">=</span>/path/to/keystore-ma <span class="se">\</span>
- -Djavax.net.ssl.keyStorePassword<span class="o">=</span>secret <span class="se">\</span>
- -jar org.apache.ace.launcher-0.8.1-SNAPSHOT.jar <span class="se">\</span>
- <span class="nv">discovery</span><span class="o">=</span>https://10.0.1.16:8443 <span class="se">\</span>
- <span class="nv">identification</span><span class="o">=</span>MyTarget
+ -Dagent.identification.agentid<span class="o">=</span>MyTarget <span class="se">\</span>
+ -Dagent.discovery.serverurls<span class="o">=</span>https://10.0.1.16:8443 <span class="se">\</span>
+ -Dagent.connection.authtype<span class="o">=</span>CLIENTCERT <span class="se">\</span>
+ -Dagent.connection.sslProtocol<span class="o">=</span>TLS <span class="se">\</span>
+ -Dagent.connection.keyfile<span class="o">=</span>/path/to/keystore <span class="se">\</span>
+ -Dagent.connection.keypass<span class="o">=</span>secret <span class="se">\</span>
+ -Dagent.connection.trustfile<span class="o">=</span>/path/to/truststore <span class="se">\</span>
+ -Dagent.connection.trustpass<span class="o">=</span>secret <span class="se">\</span>
+ -jar target.jar
</pre></div>
-<p><em>Note to double check the paths to both files, as there will not be printed any error in case one of them points to an incorrect file!</em></p>
-<p>For the ACE server, the configuration is provided by means of a property-file called <tt>platform.properties</tt>. Similar to the management agent, we should add some additional properties to it:</p>
+<p><em>Note to double check the paths to both files, as there will not be printed any error in
+case one of them points to an incorrect file!</em></p>
+<p>For the ACE server, the configuration is provided by means of a property-file called
+<tt>platform.properties</tt>. Similar to the management agent, we should add some
+additional properties to it:</p>
<div class="codehilite"><pre><span class="na">-Dorg.osgi.service.http.port.secure</span><span class="o">=</span><span class="s">8443</span>
<span class="na">-Dorg.apache.felix.https.enable</span><span class="o">=</span><span class="s">true</span>
<span class="na">-Dorg.apache.felix.https.truststore</span><span class="o">=</span><span class="s">/path/to/truststore</span>
@@ -158,8 +187,13 @@ The details on how to create a self-sign
</pre></div>
-<p>This will not only ensure that the Jetty container inside ACE will obtain the correct keystore and truststore and start a listener on port <tt>8443</tt>, but also mandates that all clients <strong>must</strong> provide a certificate upon connecting (as denoted by the last property). Without this, clients that do not offer a certificate will simply be accepted as well, hence resulting in only one-way SSL authentication. </p>
-<p>In order to secure all internal communication paths as well, we need to specify some additional properties in <tt>platform.properties</tt>:</p>
+<p>This will not only ensure that the Jetty container inside ACE will obtain the correct
+keystore and truststore and start a listener on port <tt>8443</tt>, but also mandates that
+all clients <strong>must</strong> provide a certificate upon connecting (as denoted by the last
+property). Without this, clients that do not offer a certificate will simply be accepted
+as well, hence resulting in only one-way SSL authentication.</p>
+<p>In order to secure all internal communication paths as well, we need to specify some
+additional properties in <tt>platform.properties</tt>:</p>
<div class="codehilite"><pre><span class="na">-Djavax.net.ssl.keyStore</span><span class="o">=</span><span class="s">/path/to/keystore-server</span>
<span class="na">-Djavax.net.ssl.keyStorePassword</span><span class="o">=</span><span class="s">secret</span>
<span class="na">-Djavax.net.ssl.trustStore</span><span class="o">=</span><span class="s">/path/to/truststore</span>
@@ -167,8 +201,10 @@ The details on how to create a self-sign
</pre></div>
-<p>This will ensure that all created HTTPS connections will use the mentioned keystore and truststore.<br />
-Note that in order to let <strong>all</strong> communication to use HTTPS, you need to modify the configuration files of ACE (as found in the <tt>conf</tt> directory) to mention this, for example, the <tt>org.apache.ace.webui.vaadin.cfg</tt> file would look like:</p>
+<p>This will ensure that all created HTTPS connections will use the mentioned keystore and
+truststore. Note that in order to let <strong>all</strong> communication to use HTTPS, you need to
+modify the configuration files of ACE (as found in the <tt>conf</tt> directory) to mention
+this, for example, the <tt>org.apache.ace.webui.vaadin.cfg</tt> file would look like:</p>
<div class="codehilite"><pre><span class="c"># The endpoint of the Vaadin UI</span>
<span class="na">org.apache.ace.server.servlet.endpoint</span> <span class="o">=</span> <span class="s">/ace</span>
<span class="c"># Vaadin UI settings</span>
@@ -182,9 +218,18 @@ Note that in order to let <strong>all</s
</pre></div>
-<p>Alternatively, one could also provide a keystore with a <em>different</em> certificate for securing the internal communication as well. The only thing needed is to change the <tt>javax.net.ssl.keyStore</tt> property to let it point to another keystore file.</p>
+<p>Alternatively, one could also provide a keystore with a <em>different</em> certificate for
+securing the internal communication as well. The only thing needed is to change the
+<tt>javax.net.ssl.keyStore</tt> property to let it point to another keystore file.</p>
<h3 id="using-multiple-different-keystores">Using multiple different keystores</h3>
-<p>So far, we only used the "standard" Java functionality to secure the communication paths with two-way SSL authentication. While this works for most use cases, one can think of more sophisticated scenario's in which multiple trust relations between different hosts have to be created. For example, when the OBR of ACE runs on a different host, secured with its own certificate. In order to support this use case, we can leverage the authentication framework of ACE by providing it configurations for all URLs that need their own keystore and/or truststore. In our OBR example, we could supply the following configuration to the <tt>ConnectionFactory</tt>:</p>
+<p>So far, we only used the "standard" Java functionality to secure the communication paths
+with two-way SSL authentication. While this works for most use cases, one can think of
+more sophisticated scenario's in which multiple trust relations between different hosts
+have to be created. For example, when the OBR of ACE runs on a different host, secured
+with its own certificate. In order to support this use case, we can leverage the
+authentication framework of ACE by providing it configurations for all URLs that need
+their own keystore and/or truststore. In our OBR example, we could supply the following
+configuration to the <tt>ConnectionFactory</tt>:</p>
<div class="codehilite"><pre><span class="na">authentication.baseURL</span> <span class="o">=</span> <span class="s">https://10.0.1.17:8443/obr/</span>
<span class="na">authentication.type</span> <span class="o">=</span> <span class="s">client_cert</span>
<span class="c"># optional: use a specific keystore for this URL</span>
@@ -196,36 +241,54 @@ Note that in order to let <strong>all</s
</pre></div>
-<p>Different configurations can be supplied for different URLs, allowing many different trust relations to be established.</p>
-<p>Be sure that in order to let ACE correctly map certificates to users, you need to install the <tt>ClientCertAuthenticationProcessor</tt> as additional authentication processor! </p>
+<p>Different configurations can be supplied for different URLs, allowing many different trust
+relations to be established.</p>
+<p>Be sure that in order to let ACE correctly map certificates to users, you need to install
+the <tt>ClientCertAuthenticationProcessor</tt> as additional authentication processor! </p>
<h2 id="faq">FAQ</h2>
<dl>
<dt>How should I name the certificates?</dt>
-<dd>One should use the hostname of the calling side as common name (CN) of the certificate's distinguished name (DN), for example, <tt>CN=localhost</tt> or <tt>CN=10.0.1.16</tt>;</dd>
+<dd>One should use the hostname of the calling side as common name (CN) of the certificate's
+distinguished name (DN), for example, <tt>CN=localhost</tt> or <tt>CN=10.0.1.16</tt>;</dd>
<dt>How should I name the users that are authenticated through certificates?</dt>
-<dd>The user should have the same name as the common name of the certificate, for example, <tt>localhost</tt> or <tt>10.0.1.16</tt>;</dd>
+<dd>The user should have the same name as the common name of the certificate, for example,
+<tt>localhost</tt> or <tt>10.0.1.16</tt>;</dd>
<dt>I've enabled two-way SSL authentication, but it doesn't work!</dt>
-<dd>There can be many reasons for this, like, can the truststore and keystore files be loaded (<em>no warnings or errors will be printed for this!</em>), or, is the name of the certificate matching the name of the host, or � In general, if it doesn't work, one should enable SSL-debugging in Java by adding <tt>-Djavax.net.debug=ssl</tt> as system property. This will print <em>lots</em> of information about the keystore and truststore, the communication itself as well as detailed error messages. Also, the authentication parts in ACE provide lots of debugging information, logged at <tt>DEBUG</tt> level.</dd>
+<dd>There can be many reasons for this, like, can the truststore and keystore files be
+loaded (<em>no warnings or errors will be printed for this!</em>), or, is the name of the
+certificate matching the name of the host, or � In general, if it doesn't work, one
+should enable SSL-debugging in Java by adding <tt>-Djavax.net.debug=ssl</tt> as system
+property. This will print <em>lots</em> of information about the keystore and truststore, the
+communication itself as well as detailed error messages. Also, the authentication parts in
+ACE provide lots of debugging information, logged at <tt>DEBUG</tt> level.</dd>
<dt>What if my target runs on a machine with a dynamic IP address? Can I still use client certificates for authentication?</dt>
-<dd>Not directly. Java uses the common name of the certificate and <em>assumes</em> this to be a valid, resolvable, hostname. If not, it will fail to accept the certificate as being valid. In the near future, ACE should <a href="https://issues.apache.org/jira/browse/ACE-271">support this functionality</a>.</dd>
+<dd>Not directly. Java uses the common name of the certificate and <em>assumes</em> this to be a
+valid, resolvable, hostname. If not, it will fail to accept the certificate as being
+valid. In the near future, ACE should <a href="https://issues.apache.org/jira/browse/ACE-271">support this
+functionality</a>.</dd>
</dl>
-<h2 id="references">References</h2>
-<ol>
-<li>Developer documentation on <a href="/docs/ace-authentication.html">ACE Authentication</a>;</li>
-<li><a href="http://docs.oracle.com/javase/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#Customization">JSSE Reference Guide for JDK 5.0</a>;</li>
-</ol>
-<h2 id="notes">Notes</h2>
<div class="footnote">
<hr />
<ol>
<li id="fn:1">
-<p>One can argue whether this is strictly necessary for <strong>all</strong> internal communication paths, as we will see later on, one can configure which paths use two-way SSL authentication and which paths do not. <a class="footnote-backref" href="#fnref:1" rev="footnote" title="Jump back to footnote 1 in the text">↩</a></p>
+<p>One can argue whether this is strictly necessary for <strong>all</strong> internal communication
+paths, as we will see later on, one can configure which paths use two-way SSL
+authentication and which paths do not. <a class="footnote-backref" href="#fnref:1" rev="footnote" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
<li id="fn:2">
-<p>Using a self-signed CA for two-way SSL authentication is not that much of a problem as one needs to make the certificate of the client available to the server, and the other way around. When both certificates are signed by the same CA, and both sides also trust this self-signed CA, the trust relation between client and server can be established as well. <a class="footnote-backref" href="#fnref:2" rev="footnote" title="Jump back to footnote 2 in the text">↩</a></p>
+<p>Using a self-signed CA for two-way SSL authentication is not that much of a problem
+as one needs to make the certificate of the client available to the server, and the other
+way around. When both certificates are signed by the same CA, and both sides also trust
+this self-signed CA, the trust relation between client and server can be established as
+well. <a class="footnote-backref" href="#fnref:2" rev="footnote" title="Jump back to footnote 2 in the text">↩</a></p>
</li>
<li id="fn:3">
-<p>Based on the certificate in the truststore, each side will be able to validate the certificate of the other side. <a class="footnote-backref" href="#fnref:3" rev="footnote" title="Jump back to footnote 3 in the text">↩</a></p>
+<p>Based on the certificate in the truststore, each side will be able to validate the
+certificate of the other side. <a class="footnote-backref" href="#fnref:3" rev="footnote" title="Jump back to footnote 3 in the text">↩</a></p>
+</li>
+<li id="fn:4">
+<p>You probably do not want to specify the credentials using the commandline, see also
+<a href="https://issues.apache.org/jira/browse/ACE-496">ACE-496</a>. <a class="footnote-backref" href="#fnref:4" rev="footnote" title="Jump back to footnote 4 in the text">↩</a></p>
</li>
</ol>
</div></div>