How to Configure TLS Mutual Authentication on Avi Vantage for OpenShift Cloud
Overview
Mutual or dual authentication is a security process in which both client and server authenticate each other’s identities.
Avi Vantage supports mutual authentication on Avi Vantage for OpenShift cloud.
Prerequisites
Basic Knowledge of OpenShift cloud and Avi Vantage
Instructions
Avi Vantage is configured to support mutual TLS authentication using annotations for an OpenShift deployment. Follow the steps below to enable mutual authentication on an Avi Vantage:
-
Create a secure HTTP application profile (MySystem-Secure-HTTP-Client-Cert) with client certificate authentication. The PKI profile is created with CA and CRL in the admin tenant. The profiles created in the admin tenant is available in all the tenants. For more information on creating client certificate, refer to Client SSL Certificate Validation.
-
Select the application profile created in the previous step using avi_proxy annotation in the
route
definition. The following is the annotation used for the application profile MySystem-Secure-HTTP-Client-Cert.Annotations: avi_proxy={ "virtualservice": { "analytics_policy": { "metrics_realtime_update": {"duration": 0, "enabled": true} , "client_insights": "NO_INSIGHTS", "full_client_logs": {"enabled": true, "duration": 0} }, "application_profile_ref": "/api/applicationprofile/?name=MySystem-Secure-HTTP-Client-Cert" } ,"pool": { "inline_health_monitor": true, "lb_algorithm": "LB_ALGORITHM_ROUND_ROBIN", "health_monitor_refs": ["/api/healthmonitor?name=System-HTTP"] } }
Troubleshooting
Verifying Annotation Used
Use the following oc describe route
command to check the annotation used.
[root@ose2-master1 master]# oc describe route db-pr-002-rt-002
Name: db-pr-002-rt-002
Namespace: db-pr-002
Created: 5 hours ago
Labels: <none>
Annotations:
avi_proxy={ "virtualservice": { "analytics_policy": { "metrics_realtime_update":
{"duration": 0, "enabled": true}
, "client_insights": "NO_INSIGHTS", "full_client_logs":
{"enabled": true, "duration": 0}
}, "application_profile_ref": "/api/applicationprofile/?name=MySystem-Secure-HTTP-Client-Cert" } ,"pool":
{ "inline_health_monitor": true, "lb_algorithm": "LB_ALGORITHM_ROUND_ROBIN", "health_monitor_refs": ["/api/healthmonitor?name=System-HTTP"] }
}
Requested Host: db-pr-002-rt-002.db.sc2.avi-ose-systest.com
exposed on router AviVantage 5 hours ago
rejected by router router: ExtendedValidationFailed (5 hours ago)
spec.tls.certificate: Invalid value: "redacted certificate data": error verifying certificate: x509: certificate signed by unknown authority
Path: <none>
TLS Termination: edge
Insecure Policy: Allow
Endpoint Port: <all endpoint ports>
Service: db-pr-002-svc-003
Weight: 50 (100%)
Endpoints: 10.131.0.7:8080
[root@ose2-master1 master]#
Sample of Successful Authentication when a Client Certificate is Used
The following curl
command is used to check the status of the authentication. The below output exhibits the authentication is successful when the client certificate is provided.
root@ose2-client1:~# curl -v --pass avi123 --cert client.cert.pem --cert-type PEM -k https://db-pr-002-rt-002.db.sc2.avi-ose-systest.com/service-chain
Trying 10.118.21.8...
Connected to db-pr-002-rt-002.db.sc2.avi-ose-systest.com (10.118.21.8) port 443 (#0)
found 173 certificates in /etc/ssl/certs/ca-certificates.crt
found 692 certificates in /etc/ssl/certs
ALPN, offering http/1.1
SSL connection using TLS1.2 / RSA_AES_128_GCM_SHA256
server certificate verification SKIPPED
server certificate status verification SKIPPED
common name: secure-routes (does not match 'db-pr-002-rt-002.db.sc2.avi-ose-systest.com')
server certificate expiration date OK
server certificate activation date OK
certificate public key: RSA
certificate version: #3
subject: C=IN,ST=KA,L=Bangalore,O=Avi Networks India Pvt Ltd,OU=Eng,CN=secure-routes,EMAIL=jdilipan@avinetworks.com
start date: Mon, 04 Sep 2017 04:24:30 GMT
expire date: Tue, 04 Sep 2018 04:24:30 GMT
issuer: C=IN,ST=KA,L=Bangalore,O=Avi Networks India Pvt Ltd,OU=Eng,CN=secure-routes,EMAIL=jdilipan@avinetworks.com
compression: NULL
ALPN, server accepted to use http/1.1
> GET /service-chain HTTP/1.1
> Host: db-pr-002-rt-002.db.sc2.avi-ose-systest.com
> User-Agent: curl/7.47.0
> Accept: /
>
< HTTP/1.1 200 OK
< Content-Type: text/html; charset=utf-8
< Content-Length: 21
< Connection: keep-alive
< X-Powered-By: Express
< ETag: W/"15-NLuv+M8VciyG29m0tz4VMrX/eGg"
< Date: Wed, 29 Aug 2018 16:49:17 GMT
< Strict-Transport-Security: max-age=31536000; includeSubDomains
<
Connection #0 to host db-pr-002-rt-002.db.sc2.avi-ose-systest.com left intact
db-pr-002-svc-003
root@ose2-client1:~#
Sample of an Authentication Failure when a Client Certificate is Not Used
The following curl
commands returns an error with the status code 400. The Avi Vantage returns No required SSL certificate was sent error message when the client certificate is not present.
root@ose2-client1:~# curl -v -k https://db-pr-002-rt-002.db.sc2.avi-ose-systest.com/service-chain
Trying 10.118.21.8...
Connected to db-pr-002-rt-002.db.sc2.avi-ose-systest.com (10.118.21.8) port 443 (#0)
found 173 certificates in /etc/ssl/certs/ca-certificates.crt
found 692 certificates in /etc/ssl/certs
ALPN, offering http/1.1
SSL connection using TLS1.2 / RSA_AES_128_GCM_SHA256
server certificate verification SKIPPED
server certificate status verification SKIPPED
common name: secure-routes (does not match 'db-pr-002-rt-002.db.sc2.avi-ose-systest.com')
server certificate expiration date OK
server certificate activation date OK
certificate public key: RSA
certificate version: #3
subject: C=IN,ST=KA,L=Bangalore,O=Avi Networks India Pvt Ltd,OU=Eng,CN=secure-routes,EMAIL=jdilipan@avinetworks.com
start date: Mon, 04 Sep 2017 04:24:30 GMT
expire date: Tue, 04 Sep 2018 04:24:30 GMT
issuer: C=IN,ST=KA,L=Bangalore,O=Avi Networks India Pvt Ltd,OU=Eng,CN=secure-routes,EMAIL=jdilipan@avinetworks.com
compression: NULL
ALPN, server accepted to use http/1.1
> GET /service-chain HTTP/1.1
> Host: db-pr-002-rt-002.db.sc2.avi-ose-systest.com
> User-Agent: curl/7.47.0
> Accept: /
>
< HTTP/1.1 400 Bad Request
< Content-Type: text/html
< Content-Length: 253
< Connection: close
<
400 No required SSL certificate was sent
400 Bad Request
No required SSL certificate was sent
Avi Vantage/
Closing connection 0
root@ose2-client1:~#