You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@geode.apache.org by aashish choudhary <aa...@gmail.com> on 2018/12/20 18:35:09 UTC
Geode two way ssl
We wanted to implement two way ssl with geode and needed some understanding
on ssl property ssl-require-authentication. As per docs
*ssl-require-authentication*Requires two-way authentication, applies to all
components except web. Boolean - if true (the default), two-way
authentication is required.
So if we set this as true it will only verify the trust chain or some
public key stuff for both client and server will get verified in this
authentication.
Thanks,
Ashish
Re: Geode two way ssl
Posted by Sai Boorlagadda <sa...@gmail.com>.
Hello Aashish,
First I want to re-phrase this sentence "causes clients to validate server
hostname using server certificate" as "causes *TCP* *clients* to validate
*TCP* *server* hostname using server certificate". When I say TCP Clients -
it means the client of a TCP connection.
For example, a TCP Client can be
- An APP (using GEODE client APIs) initiating a connection to a GEODE
server.
- A Cache Server initialing a connection to another Cache Server or Locator.
Where as the paramenter "ssl-require-authentication" is generally
applicable on cluster nodes. Because setting this parameter lets TCP
Servers (for app initiated connections) to also validate TCP client
certificate (application certificate). So to achieve mutual authentication
one has to enable this parameter on the cluster nodes, so that any node
with in the cluster can validate application's KEY.
In my opinion hostname validation is only applicable for TCP clients when
validating a TCP server's certificate during SSL hand-shake.
Also what we are observing is that geode is only using signing authority of
> certificate as credential if both client and server trust same CA then
> connection is established. I don't think there is any auth happening here.
> We are just encrypting data and establishing trust between client and
> server.
When a KEY is validation the validation has to validate the full chain till
the root CA. So if you have used a single CA to sign both client and server
certificate then this CA has to be trusted in-order for the KEY has to be
validated. Are you saying using two different CAs did not work?
Sai
On Wed, Mar 27, 2019 at 7:00 PM aashish choudhary <
aashish.choudhary1@gmail.com> wrote:
> Thanks Anthony. If this property is just used for components like
> server,locator etc then how this will effect client server mutual
> authentication.
>
> Also what we are observing is that geode is only using signing authority
> of certificate as credential if both client and server trust same CA then
> connection is established. I don't think there is any auth happening here.
> We are just encrypting data and establishing trust between client and
> server.
>
> Please correct me if I am wrong.
>
> With best regards,
> Ashish
>
> On Thu, Mar 28, 2019, 1:49 AM Anthony Baker <ab...@pivotal.io> wrote:
>
>> Comments below...
>>
>> On Mar 27, 2019, at 12:52 PM, aashish choudhary <
>> aashish.choudhary1@gmail.com> wrote:
>>
>> Thanks Udo, Sai.
>>
>> But as per documentation this property ssl-require-authentication is
>> only applicable to cluster members.
>>
>> *ssl-require-authentication*Requires two-way authentication, applies to
>> all components except web. Boolean - if true (the default), two-way
>> authentication is required
>>
>>
>> https://geode.apache.org/docs/guide/15/managing/security/implementing_ssl.html
>>
>>
>>
>> mTLS isn’t applied to the web component because that process is external
>> to geode (chrome, curl, etc). The other ssl components like server,
>> locator, cluster, jmx, gateway, etc all honor this setting.
>>
>>
>> And there is one more doubt regarding newly introduced ssl property.
>> ssl‑endpoint‑identification‑enabled causes clients to validate server
>> hostname using server certificate
>>
>> Is this applicable to both client and servers for hostname verification?
>>
>>
>> Yes, it should cause any SSL-enabled component to verify the SAN / CN.
>>
>>
>>
>> Thanks,
>> Ashish
>>
>> On Fri, Dec 21, 2018, 11:20 PM Udo Kohlmeyer <uk...@pivotal.io>
>> wrote:
>>
>>> Ashish,
>>>
>>> As Sai has stated...
>>>
>>> In Geode:
>>>
>>> - ssl-require-authentication=false -> Client authenticate Server SSL
>>> key
>>> - ssl-require-authentication=true -> Client authenticate Server SSL
>>> key AND Server authenticate Client SSL key
>>>
>>> --Udo
>>>
>>> On 12/21/18 08:25, Sai Boorlagadda wrote:
>>>
>>> It is *mutual auth*. Both server and client validate either's key.
>>> I should have mentioned "in addition to...."
>>>
>>> Sai
>>>
>>> On Fri, Dec 21, 2018 at 7:54 AM aashish choudhary <
>>> aashish.choudhary1@gmail.com> wrote:
>>>
>>>> So it's not mutual authentication? Both the parties are not validating
>>>> each other only server is validating client's key if I my understanding is
>>>> correct.
>>>>
>>>>
>>>> With best regards,
>>>> Ashish
>>>>
>>>> On Fri, Dec 21, 2018, 1:29 AM Sai Boorlagadda <
>>>> sai.boorlagadda@gmail.com wrote:
>>>>
>>>>> Hello Aashish,
>>>>>
>>>>> When ssl-require-authentication is set allows servwrs to validate
>>>>> client's public key, which also requires you to include the CA in server's
>>>>> trust store using which client public key is signed.
>>>>>
>>>>> Sai
>>>>>
>>>>> On Thu, Dec 20, 2018, 10:43 AM aashish choudhary <
>>>>> aashish.choudhary1@gmail.com wrote:
>>>>>
>>>>>> We wanted to implement two way ssl with geode and needed some
>>>>>> understanding on ssl property ssl-require-authentication. As per docs
>>>>>> *ssl-require-authentication* Requires two-way authentication,
>>>>>> applies to all components except web. Boolean - if true (the default),
>>>>>> two-way authentication is required.
>>>>>> So if we set this as true it will only verify the trust chain or some
>>>>>> public key stuff for both client and server will get verified in this
>>>>>> authentication.
>>>>>>
>>>>>>
>>>>>> Thanks,
>>>>>> Ashish
>>>>>>
>>>>>
>>>
>>>
>>
Re: Geode two way ssl
Posted by aashish choudhary <aa...@gmail.com>.
Thanks Anthony. If this property is just used for components like
server,locator etc then how this will effect client server mutual
authentication.
Also what we are observing is that geode is only using signing authority of
certificate as credential if both client and server trust same CA then
connection is established. I don't think there is any auth happening here.
We are just encrypting data and establishing trust between client and
server.
Please correct me if I am wrong.
With best regards,
Ashish
On Thu, Mar 28, 2019, 1:49 AM Anthony Baker <ab...@pivotal.io> wrote:
> Comments below...
>
> On Mar 27, 2019, at 12:52 PM, aashish choudhary <
> aashish.choudhary1@gmail.com> wrote:
>
> Thanks Udo, Sai.
>
> But as per documentation this property ssl-require-authentication is only
> applicable to cluster members.
>
> *ssl-require-authentication*Requires two-way authentication, applies to
> all components except web. Boolean - if true (the default), two-way
> authentication is required
>
>
> https://geode.apache.org/docs/guide/15/managing/security/implementing_ssl.html
>
>
>
> mTLS isn’t applied to the web component because that process is external
> to geode (chrome, curl, etc). The other ssl components like server,
> locator, cluster, jmx, gateway, etc all honor this setting.
>
>
> And there is one more doubt regarding newly introduced ssl property.
> ssl‑endpoint‑identification‑enabled causes clients to validate server
> hostname using server certificate
>
> Is this applicable to both client and servers for hostname verification?
>
>
> Yes, it should cause any SSL-enabled component to verify the SAN / CN.
>
>
>
> Thanks,
> Ashish
>
> On Fri, Dec 21, 2018, 11:20 PM Udo Kohlmeyer <uk...@pivotal.io>
> wrote:
>
>> Ashish,
>>
>> As Sai has stated...
>>
>> In Geode:
>>
>> - ssl-require-authentication=false -> Client authenticate Server SSL
>> key
>> - ssl-require-authentication=true -> Client authenticate Server SSL
>> key AND Server authenticate Client SSL key
>>
>> --Udo
>>
>> On 12/21/18 08:25, Sai Boorlagadda wrote:
>>
>> It is *mutual auth*. Both server and client validate either's key.
>> I should have mentioned "in addition to...."
>>
>> Sai
>>
>> On Fri, Dec 21, 2018 at 7:54 AM aashish choudhary <
>> aashish.choudhary1@gmail.com> wrote:
>>
>>> So it's not mutual authentication? Both the parties are not validating
>>> each other only server is validating client's key if I my understanding is
>>> correct.
>>>
>>>
>>> With best regards,
>>> Ashish
>>>
>>> On Fri, Dec 21, 2018, 1:29 AM Sai Boorlagadda <sai.boorlagadda@gmail.com
>>> wrote:
>>>
>>>> Hello Aashish,
>>>>
>>>> When ssl-require-authentication is set allows servwrs to validate
>>>> client's public key, which also requires you to include the CA in server's
>>>> trust store using which client public key is signed.
>>>>
>>>> Sai
>>>>
>>>> On Thu, Dec 20, 2018, 10:43 AM aashish choudhary <
>>>> aashish.choudhary1@gmail.com wrote:
>>>>
>>>>> We wanted to implement two way ssl with geode and needed some
>>>>> understanding on ssl property ssl-require-authentication. As per docs
>>>>> *ssl-require-authentication* Requires two-way authentication, applies
>>>>> to all components except web. Boolean - if true (the default), two-way
>>>>> authentication is required.
>>>>> So if we set this as true it will only verify the trust chain or some
>>>>> public key stuff for both client and server will get verified in this
>>>>> authentication.
>>>>>
>>>>>
>>>>> Thanks,
>>>>> Ashish
>>>>>
>>>>
>>
>>
>
Re: Geode two way ssl
Posted by Anthony Baker <ab...@pivotal.io>.
Comments below...
> On Mar 27, 2019, at 12:52 PM, aashish choudhary <aa...@gmail.com> wrote:
>
> Thanks Udo, Sai.
>
> But as per documentation this property ssl-require-authentication is only applicable to cluster members.
>
> ssl-require-authentication
> Requires two-way authentication, applies to all components except web. Boolean - if true (the default), two-way authentication is required
>
> https://geode.apache.org/docs/guide/15/managing/security/implementing_ssl.html <https://geode.apache.org/docs/guide/15/managing/security/implementing_ssl.html>
mTLS isn’t applied to the web component because that process is external to geode (chrome, curl, etc). The other ssl components like server, locator, cluster, jmx, gateway, etc all honor this setting.
>
> And there is one more doubt regarding newly introduced ssl property.
> ssl‑endpoint‑identification‑enabled causes clients to validate server hostname using server certificate
>
> Is this applicable to both client and servers for hostname verification?
Yes, it should cause any SSL-enabled component to verify the SAN / CN.
>
>
> Thanks,
> Ashish
>
> On Fri, Dec 21, 2018, 11:20 PM Udo Kohlmeyer <ukohlmeyer@pivotal.io <ma...@pivotal.io>> wrote:
> Ashish,
>
> As Sai has stated...
>
> In Geode:
>
> ssl-require-authentication=false -> Client authenticate Server SSL key
> ssl-require-authentication=true -> Client authenticate Server SSL key AND Server authenticate Client SSL key
> --Udo
>
>
> On 12/21/18 08:25, Sai Boorlagadda wrote:
>> It is *mutual auth*. Both server and client validate either's key.
>> I should have mentioned "in addition to...."
>>
>> Sai
>>
>> On Fri, Dec 21, 2018 at 7:54 AM aashish choudhary <aashish.choudhary1@gmail.com <ma...@gmail.com>> wrote:
>> So it's not mutual authentication? Both the parties are not validating each other only server is validating client's key if I my understanding is correct.
>>
>>
>> With best regards,
>> Ashish
>>
>> On Fri, Dec 21, 2018, 1:29 AM Sai Boorlagadda <sai.boorlagadda@gmail.com <ma...@gmail.com> wrote:
>> Hello Aashish,
>>
>> When ssl-require-authentication is set allows servwrs to validate client's public key, which also requires you to include the CA in server's trust store using which client public key is signed.
>>
>> Sai
>>
>> On Thu, Dec 20, 2018, 10:43 AM aashish choudhary <aashish.choudhary1@gmail.com <ma...@gmail.com> wrote:
>> We wanted to implement two way ssl with geode and needed some understanding on ssl property ssl-require-authentication. As per docs
>> ssl-require-authentication
>> Requires two-way authentication, applies to all components except web. Boolean - if true (the default), two-way authentication is required.
>>
>> So if we set this as true it will only verify the trust chain or some public key stuff for both client and server will get verified in this authentication.
>>
>>
>> Thanks,
>> Ashish
>
>
Re: Geode two way ssl
Posted by aashish choudhary <aa...@gmail.com>.
Thanks Udo, Sai.
But as per documentation this property ssl-require-authentication is only
applicable to cluster members.
*ssl-require-authentication*Requires two-way authentication, applies to all
components except web. Boolean - if true (the default), two-way
authentication is required
https://geode.apache.org/docs/guide/15/managing/security/implementing_ssl.html
And there is one more doubt regarding newly introduced ssl property.
ssl‑endpoint‑identification‑enabled causes clients to validate server
hostname using server certificate
Is this applicable to both client and servers for hostname verification?
Thanks,
Ashish
On Fri, Dec 21, 2018, 11:20 PM Udo Kohlmeyer <uk...@pivotal.io> wrote:
> Ashish,
>
> As Sai has stated...
>
> In Geode:
>
> - ssl-require-authentication=false -> Client authenticate Server SSL
> key
> - ssl-require-authentication=true -> Client authenticate Server SSL
> key AND Server authenticate Client SSL key
>
> --Udo
>
> On 12/21/18 08:25, Sai Boorlagadda wrote:
>
> It is *mutual auth*. Both server and client validate either's key.
> I should have mentioned "in addition to...."
>
> Sai
>
> On Fri, Dec 21, 2018 at 7:54 AM aashish choudhary <
> aashish.choudhary1@gmail.com> wrote:
>
>> So it's not mutual authentication? Both the parties are not validating
>> each other only server is validating client's key if I my understanding is
>> correct.
>>
>>
>> With best regards,
>> Ashish
>>
>> On Fri, Dec 21, 2018, 1:29 AM Sai Boorlagadda <sai.boorlagadda@gmail.com
>> wrote:
>>
>>> Hello Aashish,
>>>
>>> When ssl-require-authentication is set allows servwrs to validate
>>> client's public key, which also requires you to include the CA in server's
>>> trust store using which client public key is signed.
>>>
>>> Sai
>>>
>>> On Thu, Dec 20, 2018, 10:43 AM aashish choudhary <
>>> aashish.choudhary1@gmail.com wrote:
>>>
>>>> We wanted to implement two way ssl with geode and needed some
>>>> understanding on ssl property ssl-require-authentication. As per docs
>>>> *ssl-require-authentication* Requires two-way authentication, applies
>>>> to all components except web. Boolean - if true (the default), two-way
>>>> authentication is required.
>>>> So if we set this as true it will only verify the trust chain or some
>>>> public key stuff for both client and server will get verified in this
>>>> authentication.
>>>>
>>>>
>>>> Thanks,
>>>> Ashish
>>>>
>>>
>
>
Re: Geode two way ssl
Posted by Udo Kohlmeyer <uk...@pivotal.io>.
Ashish,
As Sai has stated...
In Geode:
* ssl-require-authentication=false -> Client authenticate Server SSL key
* ssl-require-authentication=true -> Client authenticate Server SSL
key AND Server authenticate Client SSL key
--Udo
On 12/21/18 08:25, Sai Boorlagadda wrote:
> It is *mutual auth*. Both server and client validate either's key.
> I should have mentioned "in addition to...."
>
> Sai
>
> On Fri, Dec 21, 2018 at 7:54 AM aashish choudhary
> <aashish.choudhary1@gmail.com <ma...@gmail.com>>
> wrote:
>
> So it's not mutual authentication? Both the parties are not
> validating each other only server is validating client's key if I
> my understanding is correct.
>
>
> With best regards,
> Ashish
>
> On Fri, Dec 21, 2018, 1:29 AM Sai Boorlagadda
> <sai.boorlagadda@gmail.com <ma...@gmail.com> wrote:
>
> Hello Aashish,
>
> When ssl-require-authentication is set allows servwrs to
> validate client's public key, which also requires you to
> include the CA in server's trust store using which client
> public key is signed.
>
> Sai
>
> On Thu, Dec 20, 2018, 10:43 AM aashish choudhary
> <aashish.choudhary1@gmail.com
> <ma...@gmail.com> wrote:
>
> We wanted to implement two way ssl with geode and needed
> some understanding on ssl property
> ssl-require-authentication. As per docs
>
> *ssl-require-authentication*
> Requires two-way authentication, applies to all
> components except web. Boolean - if true (the
> default), two-way authentication is required.
>
> So if we set this as true it will only verify the trust
> chain or some public key stuff for both client and server
> will get verified in this authentication.
>
>
> Thanks,
> Ashish
>
Re: Geode two way ssl
Posted by Sai Boorlagadda <sa...@gmail.com>.
It is *mutual auth*. Both server and client validate either's key.
I should have mentioned "in addition to...."
Sai
On Fri, Dec 21, 2018 at 7:54 AM aashish choudhary <
aashish.choudhary1@gmail.com> wrote:
> So it's not mutual authentication? Both the parties are not validating
> each other only server is validating client's key if I my understanding is
> correct.
>
>
> With best regards,
> Ashish
>
> On Fri, Dec 21, 2018, 1:29 AM Sai Boorlagadda <sai.boorlagadda@gmail.com
> wrote:
>
>> Hello Aashish,
>>
>> When ssl-require-authentication is set allows servwrs to validate
>> client's public key, which also requires you to include the CA in server's
>> trust store using which client public key is signed.
>>
>> Sai
>>
>> On Thu, Dec 20, 2018, 10:43 AM aashish choudhary <
>> aashish.choudhary1@gmail.com wrote:
>>
>>> We wanted to implement two way ssl with geode and needed some
>>> understanding on ssl property ssl-require-authentication. As per docs
>>> *ssl-require-authentication*Requires two-way authentication, applies to
>>> all components except web. Boolean - if true (the default), two-way
>>> authentication is required.
>>> So if we set this as true it will only verify the trust chain or some
>>> public key stuff for both client and server will get verified in this
>>> authentication.
>>>
>>>
>>> Thanks,
>>> Ashish
>>>
>>
Re: Geode two way ssl
Posted by aashish choudhary <aa...@gmail.com>.
So it's not mutual authentication? Both the parties are not validating each
other only server is validating client's key if I my understanding is
correct.
With best regards,
Ashish
On Fri, Dec 21, 2018, 1:29 AM Sai Boorlagadda <sai.boorlagadda@gmail.com
wrote:
> Hello Aashish,
>
> When ssl-require-authentication is set allows servwrs to validate client's
> public key, which also requires you to include the CA in server's trust
> store using which client public key is signed.
>
> Sai
>
> On Thu, Dec 20, 2018, 10:43 AM aashish choudhary <
> aashish.choudhary1@gmail.com wrote:
>
>> We wanted to implement two way ssl with geode and needed some
>> understanding on ssl property ssl-require-authentication. As per docs
>> *ssl-require-authentication*Requires two-way authentication, applies to
>> all components except web. Boolean - if true (the default), two-way
>> authentication is required.
>> So if we set this as true it will only verify the trust chain or some
>> public key stuff for both client and server will get verified in this
>> authentication.
>>
>>
>> Thanks,
>> Ashish
>>
>
Re: Geode two way ssl
Posted by Sai Boorlagadda <sa...@gmail.com>.
Hello Aashish,
When ssl-require-authentication is set allows servwrs to validate client's
public key, which also requires you to include the CA in server's trust
store using which client public key is signed.
Sai
On Thu, Dec 20, 2018, 10:43 AM aashish choudhary <
aashish.choudhary1@gmail.com wrote:
> We wanted to implement two way ssl with geode and needed some
> understanding on ssl property ssl-require-authentication. As per docs
> *ssl-require-authentication*Requires two-way authentication, applies to
> all components except web. Boolean - if true (the default), two-way
> authentication is required.
> So if we set this as true it will only verify the trust chain or some
> public key stuff for both client and server will get verified in this
> authentication.
>
>
> Thanks,
> Ashish
>