How to Configure TLS Mutual Authentication on Avi Vantage for OpenShift Cloud

Overview

Mutual or dual authentication is a security process in which both client and server authenticate each other’s identities.

Avi Vantage supports mutual authentication on Avi Vantage for OpenShift cloud.

Prerequisites

Basic Knowledge of OpenShift cloud and Avi Vantage

Instructions

Avi Vantage is configured to support mutual TLS authentication using annotations for an OpenShift deployment. Follow the steps below to enable mutual authentication on an Avi Vantage:

  1. Create a secure HTTP application profile (MySystem-Secure-HTTP-Client-Cert) with client certificate authentication. The PKI profile is created with CA and CRL in the admin tenant. The profiles created in the admin tenant is available in all the tenants. For more information on creating client certificate, refer to Client SSL Certificate Validation.

  2. Select the application profile created in the previous step using avi_proxy annotation in the route definition. The following is the annotation used for the application profile MySystem-Secure-HTTP-Client-Cert.

    
Annotations:	
avi_proxy={ "virtualservice": { "analytics_policy": { "metrics_realtime_update":
   
{"duration": 0, "enabled": true}
, "client_insights": "NO_INSIGHTS", "full_client_logs":
   
{"enabled": true, "duration": 0}
}, "application_profile_ref": "/api/applicationprofile/?name=MySystem-Secure-HTTP-Client-Cert" } ,"pool":
   
{ "inline_health_monitor": true, "lb_algorithm": "LB_ALGORITHM_ROUND_ROBIN", "health_monitor_refs": ["/api/healthmonitor?name=System-HTTP"] }
}

Troubleshooting

Verifying Annotation Used

Use the following oc describe route command to check the annotation used.


[root@ose2-master1 master]# oc describe route db-pr-002-rt-002
Name:	db-pr-002-rt-002
Namespace:	db-pr-002
Created:	5 hours ago
Labels:	<none>
Annotations:	
avi_proxy={ "virtualservice": { "analytics_policy": { "metrics_realtime_update":

{"duration": 0, "enabled": true}
, "client_insights": "NO_INSIGHTS", "full_client_logs":

{"enabled": true, "duration": 0}
}, "application_profile_ref": "/api/applicationprofile/?name=MySystem-Secure-HTTP-Client-Cert" } ,"pool":

{ "inline_health_monitor": true, "lb_algorithm": "LB_ALGORITHM_ROUND_ROBIN", "health_monitor_refs": ["/api/healthmonitor?name=System-HTTP"] }
}
Requested Host:	db-pr-002-rt-002.db.sc2.avi-ose-systest.com
exposed on router AviVantage 5 hours ago
rejected by router router: ExtendedValidationFailed (5 hours ago)

spec.tls.certificate: Invalid value: "redacted certificate data": error verifying certificate: x509: certificate signed by unknown authority
Path:	<none>
TLS Termination:	edge
Insecure Policy:	Allow
Endpoint Port:	<all endpoint ports>
Service:	db-pr-002-svc-003
Weight:	50 (100%)
Endpoints:	10.131.0.7:8080
[root@ose2-master1 master]#

Sample of Successful Authentication when a Client Certificate is Used

The following curl command is used to check the status of the authentication. The below output exhibits the authentication is successful when the client certificate is provided.


 root@ose2-client1:~# curl -v --pass avi123 --cert client.cert.pem --cert-type PEM -k https://db-pr-002-rt-002.db.sc2.avi-ose-systest.com/service-chain
 Trying 10.118.21.8...
 Connected to db-pr-002-rt-002.db.sc2.avi-ose-systest.com (10.118.21.8) port 443 (#0)
 found 173 certificates in /etc/ssl/certs/ca-certificates.crt
 found 692 certificates in /etc/ssl/certs
 ALPN, offering http/1.1
 SSL connection using TLS1.2 / RSA_AES_128_GCM_SHA256
 server certificate verification SKIPPED
 server certificate status verification SKIPPED
 common name: secure-routes (does not match 'db-pr-002-rt-002.db.sc2.avi-ose-systest.com')
 server certificate expiration date OK
 server certificate activation date OK
 certificate public key: RSA
 certificate version: #3
 subject: C=IN,ST=KA,L=Bangalore,O=Avi Networks India Pvt Ltd,OU=Eng,CN=secure-routes,EMAIL=jdilipan@avinetworks.com
 start date: Mon, 04 Sep 2017 04:24:30 GMT
 expire date: Tue, 04 Sep 2018 04:24:30 GMT
 issuer: C=IN,ST=KA,L=Bangalore,O=Avi Networks India Pvt Ltd,OU=Eng,CN=secure-routes,EMAIL=jdilipan@avinetworks.com
 compression: NULL
 ALPN, server accepted to use http/1.1
 > GET /service-chain HTTP/1.1
 > Host: db-pr-002-rt-002.db.sc2.avi-ose-systest.com
 > User-Agent: curl/7.47.0
 > Accept: /
 >
 < HTTP/1.1 200 OK
 < Content-Type: text/html; charset=utf-8
 < Content-Length: 21
 < Connection: keep-alive
 < X-Powered-By: Express
 < ETag: W/"15-NLuv+M8VciyG29m0tz4VMrX/eGg"
 < Date: Wed, 29 Aug 2018 16:49:17 GMT
 < Strict-Transport-Security: max-age=31536000; includeSubDomains
 <
 
 Connection #0 to host db-pr-002-rt-002.db.sc2.avi-ose-systest.com left intact
 db-pr-002-svc-003
 root@ose2-client1:~#

Sample of an Authentication Failure when a Client Certificate is Not Used

The following curl commands returns an error with the status code 400. The Avi Vantage returns No required SSL certificate was sent error message when the client certificate is not present.


 root@ose2-client1:~# curl -v -k https://db-pr-002-rt-002.db.sc2.avi-ose-systest.com/service-chain
 Trying 10.118.21.8...
 Connected to db-pr-002-rt-002.db.sc2.avi-ose-systest.com (10.118.21.8) port 443 (#0)
 found 173 certificates in /etc/ssl/certs/ca-certificates.crt
 found 692 certificates in /etc/ssl/certs
 ALPN, offering http/1.1
 SSL connection using TLS1.2 / RSA_AES_128_GCM_SHA256
 server certificate verification SKIPPED
 server certificate status verification SKIPPED
 common name: secure-routes (does not match 'db-pr-002-rt-002.db.sc2.avi-ose-systest.com')
 server certificate expiration date OK
 server certificate activation date OK
 certificate public key: RSA
 certificate version: #3
 subject: C=IN,ST=KA,L=Bangalore,O=Avi Networks India Pvt Ltd,OU=Eng,CN=secure-routes,EMAIL=jdilipan@avinetworks.com
 start date: Mon, 04 Sep 2017 04:24:30 GMT
 expire date: Tue, 04 Sep 2018 04:24:30 GMT
 issuer: C=IN,ST=KA,L=Bangalore,O=Avi Networks India Pvt Ltd,OU=Eng,CN=secure-routes,EMAIL=jdilipan@avinetworks.com
 compression: NULL
 ALPN, server accepted to use http/1.1
 > GET /service-chain HTTP/1.1
 > Host: db-pr-002-rt-002.db.sc2.avi-ose-systest.com
 > User-Agent: curl/7.47.0
 > Accept: /
 >
 < HTTP/1.1 400 Bad Request
 < Content-Type: text/html
 < Content-Length: 253
 < Connection: close
 <
 
 400 No required SSL certificate was sent
 
 
400 Bad Request

 
No required SSL certificate was sent

 
Avi Vantage/

 
 
 
 Closing connection 0
 root@ose2-client1:~#

Additional Information

Avi Vantage Annotation Guide