Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

X509 Authentication

This document describes how to enable authentication via X.509 certificates. This kind of authentication takes place when (1) using HTTPS and (2) the server requires a client certificate. Normally when an HTTPS connection is established, only the server provides a certificate. Additionally, the server can require the client to also present a certificate. This is called mutual authentication, or two way SSL authentication.

Prerequisites

  • This document applies to the Pentaho BI Server, versions 1.6 and higher.
  • This document assumes the presence of the OpenSSL toolkit. Most Linux distributions come with OpenSSL. For Windows, there are a pre-compiled binaries.

The instructions below assume three entities:

Entity

Description

certificate authority (CA)

In this example, you will play the role of CA. In a real life scenario, a company like VeriSign would serve as the CA.

server

This is a server such a Apache Tomcat. It will both present a certificate of its own and request a certificate from the client.

browser

This is a browser such as Mozilla Firefox. It will be configured to present a client certificate when prompted.

Instructions

  1. Generate the CA private key.
  2. Generate the self-signed certificate for the CA using the CA private key.
  3. Generate the server private key.
  4. Generate the server certificate signing request (CSR).
  5. Sign the server CSR using the CA private key and CA certificate.
  6. Generate the client private key.
  7. Generate the client CSR.
  8. Sign the client CSR using the CA private key and CA certificate.
  9. Import the CA certificate into the keystore (e.g. cacerts) containing the root certificates of certificate authorities.
    1. Export the CA private key and CA certificate into a format suitable for the JVM keystore.
    2. Import the CA private key and CA certificate into a temporary keystore.
    3. Export the CA certificate out of the temporary keystore.
    4. Import the CA certificate into the cacerts file.
  10. Import the server private key and server certificate into the keystore to be used by the server.
    1. Export the server private key and server certificate into a format suitable for the server keystore.
    2. Import the server private key and server certificate into the server keystore.
  11. Edit the server config to enable HTTPS and to use the server keystore.
  12. Import the client private key and client certificate into the browser.
    1. Export the client private key and client certificate into a format suitable for the browser.
    2. Import the client private key and client certificate into the browser.

Results

Examples

Troubleshooting

Related Items

  • No labels