Two-Way Certificate-Based Authentication over TLS 1.2

This guide describes how to authenticate Connectors and other components with the AAI server using two-way certificate-based authentication over TLS 1.2.

This page includes the following:

Requirements

To secure a Connector, your system must meet the following requirements:

  • OpenSSL version 1.1 or later installed and on the system path

  • JDK version 8 or later, with tools keytool and jar installed and on the system path

In addition, you must have installed or upgraded your AAI server to at least version 6.3.0 (including the database schema), and you must have installed or upgraded a Connector that is based on the connector framework.

Overview

The authentication setup can be broken down into three steps:

  1. Generate AAI server certificate and configure AAI to allow two-way certificate-based authentication over TLS 1.2.

    AAI runs within a JBoss container which must be configured to allow two-way authentication via certificates for a Connector to communicate with it over TLS 1.2.

  2. Generate client certificates for Connectors to authenticate over two-way TLS 1.2.

    Once the AAI server has been configured to allow certificate-based authentication over TLS 1.2, you have to generate client certificates for each Connector that you want to authenticate using certificates.

  3. Configure the Connectors. For more information, see Configuring Connectors for Authentication.

    Each Connector that must communicate with the AAI server over two-way TLS 1.2 must be configured using a unique client certificate generated and trusted by the AAI server. The Connector also must be configured to trust the AAI server certificate. A single Connector installation can only communicate with one AAI server instance, but one AAI server instance can communicate with multiple Connectors.

    The generated client certificate is packaged in a .jar file along with any other resources needed by the Connector to successfully authenticate with the AAI server using client certificate authentication. If the Connector is running on a different machine than the AAI server instance, this single .jar file must be transferred to the machine running the Connector into a specific directory. Since the AAI server generates its own Certificate Authority (CA) to self-sign certificates, you may need to add the AAI server CA to the trust store of the connector machine for two-way TLS to commence, otherwise the client is not able to verify the server's certificate.

See also: