Hide Forgot
Document URL: https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Operations_Network/3.3/html/Admin_and_Config/JBoss_ON_and_SSL-Authentication.html Section Number and Name: Step 8 - Enable client authentication by setting the Describe the issue: There are two properties in rhq-server.properties: - rhq.server.tomcat.security.client-auth-mode - rhq.communications.connector.security.client-auth-mode It seems rhq.server.tomcat.security.client-auth-mode requires value 'true' to be enabled but rhq.communications.connector.security.client-auth-mode requires 'need' value to be enabled. Suggestions for improvement: Those two properties should be well described in documentation Additional information:
John, could you please confirm which values are expected for following properties? - rhq.server.tomcat.security.client-auth-mode - rhq.communications.connector.security.client-auth-mode
IIRC, the tomcat one is used when inside the JON Server and the JON server is using sslservlet (because JON is using the Tomcat connector for its agent-server comm). The other one is used on the agent side when the agent uses sslsocket. This is also for the JON Server, too, if the JON Server is using sslsocket (NOT sslservlet). In that case, it is the JON comm layer that is creating the server-side socket to handle the server-agent comm, not Tomcat). When ...client-auth-mode == "true" it means we are only to process an incoming request if it has a valid SSL certificate. The RHQ docs on this might help - I suggest reading this. We spent a lot of time putting in a lot of details here on this page: https://docs.jboss.org/author/display/RHQ/Securing+Communications
Question is if a value "true" or value "need" should be used. JON documentation contains value "need" for rhq.communications.connector.security.client-auth-mode RHQ doc contains value "true" for both rhq.communications.connector.security.client-auth-mode and rhq.server.tomcat.security.client-auth-mode So question which value is correct for which property.
(In reply to Filip Brychta from comment #3) > Question is if a value "true" or value "need" should be used. > JON documentation contains value "need" for > rhq.communications.connector.security.client-auth-mode > RHQ doc contains value "true" for both > rhq.communications.connector.security.client-auth-mode and > rhq.server.tomcat.security.client-auth-mode > > So question which value is correct for which property. The "need" and "want" values are for a different property - that's for the server-auth value, not the client-auth value (in this context, "server" is the server-side of the comm - not necessarily the JON Server - the agent is a "server" too - when a message comes into the agent, the agent is the "server" and the JON Server is the "client") The client-auth value is boolean only (true or false). True means the server wants to authenticate the client; false means the server doesn't authenticate the client with a cert. For the server-auth value of "need" - that is a client-side only property - if "need" the client needs the server to provide a cert. If "want" the client would like it, but doesn't require it.
So after discussion with mazz following are correct values: rhq-server.properties: - rhq.server.client.security.server-auth-mode-enabled=true/false - for outgoing messages to agents, when enabled, forces the server to authenticate the remote agent's certificate with one in the server's trust store - rhq.server.tomcat.security.client-auth-mode=true/false - for incoming messages from agents when sslservlet is used - rhq.communications.connector.security.client-auth-mode=none/want/need - for incoming messages from agents when sslsocket is used agent-configuration.xml: - rhq.agent.client.security.server-auth-mode-enabled=true/false - for outgoing messages to server - rhq.communications.connector.security.client-auth-mode=none/want/need - for incoming messages from server It's necessary to search trough JON doc and fix all occurrences. I found following: - https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Operations_Network/3.3/html/Admin_and_Config/ssl-troubleshooting.html section Example 4.4. Encryption and Client Authentication: Server (sslsocket) and Agent (sslsocket) rhq.communications.connector.security.client-auth-mode=true should berhq.communications.connector.security.client-auth-mode=need - https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Operations_Network/3.3/html/Admin_and_Config/server-properties.html 6.3.2. Configuring Communication Settings rhq.server.tomcat.security.client-auth-mode=want should be rhq.server.tomcat.security.client-auth-mode=true - https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Operations_Network/3.3/html/Admin_and_Config/server-properties.html section rhq-server.properties SSL Server Connection Parameters description for rhq.server.client.security.server-auth-mode-enabled is not correct. Valid values are true/false