Configuring Trusted Peer Authentication for Mindbreeze Search Appliance

Copyright ©

Mindbreeze GmbH, A-4020 Linz, 2017.

All rights reserved. All hardware and software names used are registered trade names and/or registered trademarks of the respective manufacturers.

These documents are highly confidential. No rights to our software or our professional services, or results of our professional services, or other protected rights can be based on the handing over and presentation of these documents. Distribution, publication or duplication is not permitted.

.

IntroductionPermanent link for this heading

For using trusted peer authentication on the Mindbreeze Search Appliance two certificates are needed: a trusted CA certificate for validating the client certificates and a trusted X509 client certificate. The latter is used for forwarding the search request internally from the Mindbreeze Client Services to the Query Services. This second certificate must be signed with the trusted CA certificate.

The certificates can be installed using the Mindbreeze Configuration Interface.  After the installation trusted peer authentication has to be enabled on the involved Mindbreeze Services.

Generating CertificatesPermanent link for this heading

The Certificates have already been generated when the Appliance was first configured.

Trusted Client CertificatePermanent link for this heading

In addition to the CA-Certificate an trusted client certificate has also been generated. It is available in the file trusted.p12 in the folder /opt/mindbreeze/setup/certificates/TrustedPeer and can be downloaded using the file manager of the managementcenter

Installing the CertificatesPermanent link for this heading

The certificates are already configured and can viewed in the sections “Available CAs“ and “Available SSL Certificates“

Enabling Trusted Peer AuthenticationPermanent link for this heading

All Query Services automatically accept lient certificate based authentication. For the Client Services this must be manually enabled by following steps:

  • Open the “Client Services” tab on the configuration interface and check the “Advanced Settings” option

  • Enable the “Use Trusted Peer Authentication” option and select the uploaded client certificate in the “Trusted Peer Credential Certificate” drop-down list.

  • The option ”Certificate Subject Trusted for Identity Delegation” has to contain a pattern that matches the subject of the trusted client certificate.
  • The option “Identity Extraction Order” determines the order in which the identity is extracted from the http-header or the search-request:

Header, Request: The identity is extracted from the header and as a fallback from the request if it is not set in the header.

Request, Header: The identity is extracted from the request and as a fallback from the header if it is not set in the request.

Header: The identity is extracted from the request.

Request: The identity is extracted from the header.

Identity Delegation using Trusted Peer AuthenticationPermanent link for this heading

Trusted peer authentication can be used to delegate user credentials to the client service.
This requires a matching trusted client certificate (see above). The identity has to be passed inside the HTTP header using the field “X-Auth-User”.

Using Custom Certificates Permanent link for this heading

For trusted peer based authentication a custom CA certificate and a client certificate can be used as well. The client certificate must be signed with the CA certificate.

Requirements for the certificates:

  • The CA certificate file should contain a base-64 encoded X.509 certificate (private key is not needed).
  • The trusted client certificate should be a pkcs 12 certificate archive (.p12) containing an X.509 certificate and the corresponding private key. Important: the pkcs file may not be password protected.