Support Questions

@amarnath reddy pappu, thank you for your reply. I agree that seems to be the logical path. What I see appears to differ from what the system is allowing. Attempting to perform this action fails. See the image below with verbose output. Any idea to explain this behavior?

@Zack Atkinson

the curl call you are trying is incorrect. use cacert instead of cert

curl -X POST --data 'Hello World! SSL Worked!''https:HOST:PORT/PATH  '----cacert ./meyCert

My example:

curl -X GET https://c1111-node1.hdp.com:8443/#/login/local --cacert /tmp/knox.crt

Please mark my comment as correct answer if this solves your issue.

Amarnath,

You are trying to resolve the issue of the untrusted server certificate if curl is run without the -k/--insecure option. That was not Zack's problem. To accept input from a client which is not identifying itself with a client certificate, the solution is to provide a StandardRestrictedSSLContextService with only the keystore-related options configured. Configuring the truststore-related options instructs the service to require a client certificate to negotiate a TLS handshake and allow the connection. This is what Zack was trying to avoid.

Andy\Amarnath,

My question was initially why my expected outcome was not working and why this other format did work. Along the way, I believe my question was answered, assuming my understanding is correct. I did't want to dive to deep as I thought it may be outside the scope of my initial post. Since the conversation has gone that way tho, Andy is correct.

I did not understand the difference between 1-way SSL and 2-way SSL. Using 1-way SSL (keystore only) all HTTPS connections are accepted regardless if the source is who we are expecting or not. Using 2-way SSL only HTTPS connections are accepted but now we must verify who the source is by authenticating with a private key & server certificate that can be authenticated by my truststore.

My use case for this knowledge, is we are promoting projects between our Dev & Prod clusters. I wanted to ensure we had the correct security in place to proceed. The developers are wanting 1-way SSL but I lacked the knowledge at the time to make it work and only had 2-way. They were upset because this required more data to be sent via REST protocol using 2-way.

Now that I understand each protocol, I will not allow to them proceed to Production with their architecture without 2-way SSL. Originally, I was simply ignorant of how to setup 1-way SSL, without understanding the security hole it would make.

Thank you both for your time and effort in reviewing this concept.

@Zack Atkinson not sure your answer is related to the question being asked - Am i missing some thing here?

Please check my comment below for answer to the curl call issue.

Zack, glad you found a solution. I was coming to post this but wanted to verify something in my custom configuration wasn't affecting this before posting. We can probably improve the processor/controller service documentation to make this clearer and more intuitive. If you do decide you want client authentication and configure the truststore-related properties, you can also further restrict the authorized users via the Authorized DN Pattern processor property.