blob: 1ace393794e6b0d76ba90c6610cfd17cfe45ece2 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
|
.. This work is licensed under a Creative Commons Attribution 4.0 International License.
.. http://creativecommons.org/licenses/by/4.0
.. raw:: html
<style> .red {color:red} </style>
<style> .green {color:green} </style>
.. role:: red
.. role:: green
Authentication Types
====================
VES supports mutual TLS authentication via X.509 certificates. If VES is deployed via docker image then VES configuration can be modified by editing */opt/app/VESCollector/etc/collector.properties* which is present on the docker container. VES detects changes made to the mentioned file automatically and restarts the application.
The authentication can be enabled by *collector.service.secure.clientauth* property. When *collector.service.secure.clientauth=1* VES uses additional properties:
* *collector.truststore.file.location* - a path to jks trust store containing certificates of clients or certificate authorities
* *collector.truststore.passwordfile* - a path to file containing password for the trust store
Of course, mutual TLS authentication requires also server certificates, so following properties have to be set to valid values:
* *collector.keystore.file.location* - a path to jks key store containing certificates which can be used for TLS handshake
* *collector.keystore.passwordfile* - a path to file containing a password for the key store
Property *auth.method* is used to manage security mode, possible configuration: noAuth, basicAuth, certOnly, certBasicAuth
* *auth.method=noAuth* default option - no security (http)
* *auth.method=certOnly* is used to enable mutual TLS authentication (https)
* client without cert and without basic auth = :red:`Authentication failure`
* client without cert and wrong basic auth = :red:`Authentication failure`
* client without cert and correct basic auth = :red:`Authentication failure`
* client with cert and without/wrong basic auth = :green:`Authentication successful`
* client with cert and correct basic auth = :green:`Authentication successful`
* *auth.method=certBasicAuth* is used to enable mutual TLS authentication or/and basic HTTPs authentication
* client without cert and without basic auth = :red:`Authentication failure`
* client without cert and wrong basic auth = :red:`Authentication failure`
* client without cert and correct basic auth = :green:`Authentication successful`
* client with cert and without/wrong basic auth = :green:`Authentication successful`
* client with cert and correct basic auth = :green:`Authentication successful`
* *auth.method=basicAuth* is used to enable basic HTTPs authentication
* client without cert and without basic auth = :red:`Authentication failure`
* client without cert and wrong basic auth = :red:`Authentication failure`
* client without cert and correct basic auth = :green:`Authentication successful`
* client with cert and without/wrong basic auth = :red:`Authentication failure`
* client with cert and correct basic auth = :green:`Authentication successful`
When application is in certOnly or certBasicAuth mode then certificates are also validated by regexp in /etc/certSubjectMatcher.properties,
only SubjectDn field in certificate description are checked. Default regexp value is .* means that we approve all SubjectDN values.
|