Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Traffic Ops client certificate authentication #7392

Merged
merged 21 commits into from
May 8, 2023
Merged

Traffic Ops client certificate authentication #7392

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
21 commits
Select commit Hold shift + click to select a range
96ea127
initial client certificate auth code for login
Sep 6, 2022
a8e192e
Add intermediate cert for chain testing. Add LDAP check for UID parse…
Oct 4, 2022
d104a8f
Add nil check for client TLS connection state
Oct 4, 2022
961bb77
Update cdn.conf to include Root cert location. Remove test certs
Oct 4, 2022
ec7f207
Remove filesystem tests for root cert
Oct 4, 2022
36e6ef7
Use long descriptive form in JSON for cdn.conf
Oct 4, 2022
a18d93c
Add checks for config values. Update example logic
Oct 10, 2022
10788e1
Initial documentation commit instead of stash
Nov 1, 2022
94e8542
Moved client.go and server.go to separate folders because they are bo…
Feb 8, 2023
317de5d
Add Apache license to example server+client
Feb 8, 2023
f0bd4d5
Remove commented code lines
zrhoffman Mar 9, 2023
1d4c668
Use JWT constanswconstants instead of string literals
zrhoffman Mar 9, 2023
3bf8acc
Refactor so `goto` is unnecessary
zrhoffman Mar 9, 2023
fa3809d
Lowercase error messages
zrhoffman Mar 9, 2023
7a2cec0
Use separte PKI directory for TO root certificates
zrhoffman Apr 24, 2023
893219b
Reject certs that are group or world-writable
zrhoffman Apr 24, 2023
2e56bb9
Do not fully bail on unpocessable files
zrhoffman Apr 24, 2023
fdfea30
- Reject certificate subjects with multiple UIDs
zrhoffman Apr 24, 2023
2ff5d88
Use %s for error in format string
zrhoffman Apr 24, 2023
746ea5b
Track github.com/apache/trafficcontrol/lib/go-rfc/ldap
zrhoffman Apr 28, 2023
73409b2
Use %s for error type
zrhoffman Apr 28, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 25 additions & 0 deletions docs/source/admin/quick_howto/client_cert_auth.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
..
..
.. Licensed under the Apache License, Version 2.0 (the "License");
.. you may not use this file except in compliance with the License.
.. You may obtain a copy of the License at
..
.. http://www.apache.org/licenses/LICENSE-2.0
..
.. Unless required by applicable law or agreed to in writing, software
.. distributed under the License is distributed on an "AS IS" BASIS,
.. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
.. See the License for the specific language governing permissions and
.. limitations under the License.
..

.. _client-cert-auth:

**************************************
Client Certificates for Authentication
**************************************

An alternative mechanism for providing credentials and authenticating access.

There are multiple mechanisms, specifically within Traffic Ops, that provide a means for authentication.

7 changes: 6 additions & 1 deletion docs/source/admin/traffic_ops.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -320,6 +320,12 @@ This file deals with the configuration parameters of running Traffic Ops itself.
:renew_days_before_expiration: Set the number of days before expiration date to renew certificates.
:summary_email: The email address to use for summarizing certificate expiration and renewal status. If it is blank, no email will be sent.

:client_certificate_authentication: This is an optional section of configurations client provided certificate based authentication. However, if ``"ClientAuth" : "1"``` is enabled in the ``tls_config`` section in ``traffic_ops_golang``, then this field is required.

.. versionadded:: 7.0

:root_certificates_directory: A string representing the absolute path of the directory where Root CA certificates are located. These Root CA certificates are used for verifying the certificate provided by the client.

:default_certificate_info: This is an optional object to define default values when generating a self signed certificate when an HTTPS delivery service is created or updated. If this is an empty object or not present in the :ref:`cdn.conf` then the term "Placeholder" will be used for all fields.

:business_unit: An optional field which, if present, will represent the business unit for which the SSL certificate was generated
Expand Down Expand Up @@ -517,7 +523,6 @@ This file deals with the configuration parameters of running Traffic Ops itself.

.. versionadded:: 7.0


Example cdn.conf
''''''''''''''''
.. include:: ../../../traffic_ops/app/conf/cdn.conf
Expand Down
Loading