Introduction

  • The JS7 - Identity Services offer management of user accounts for authentication and authorization.
  • The connection from a client (user browser or REST client) to the JOC Cockpit can be secured by HTTPS. This includes validation of the JOC Cockpit's TLS/SSL Server Authentication Certificate by the client. In addition, the JOC Cockpit can be configured for mutual authentication, requesting in return that the client presents a Client Authentication Certificate that is then validated by the JOC Cockpit.
  • Certificates can be used as a single-factor and for multi-factor authentication (MFA) with other Identity Services.
  • Authentication Schemes
    • Single-factor authentication means that use of a Client Authentication Certificate is sufficient to login to JOC Cockpit, no specification of user account and password is required.
    • Two-factor authentication means that:
      • the client (user browser, REST client) presents a Client Authentication Certificate and
      • the client specifies for example the user account and password for login required by some other Identity Service.
  • FEATURE AVAILABILITY STARTING FROM RELEASE 2.6.0

Prerequisites

Identity Service Type

The following integration level is available from the OIDC Identity Service Type:

Identity ServiceIdentity Service Configuration Items
Service TypeBuilt-inUser Accounts/Passwords
stored with
User Accounts/Passwords
managed by
Roles/Permissions
stored with
Roles->User Accounts Mapping
managed with
CERTIFICATEyesCertificateCA / CertificateJS7 Database JOC Cockpit


Explanation:

  • Service Type: CERTIFICATE
    • Management of user accounts is performed by the Certificate Authority (CA). Instead of a password the user holds the Private Key and Certificate.
    • The assignment of roles to user accounts is performed by the JOC Cockpit.
    • The JOC Cockpit stores user accounts and role assignments: in the JS7 - Database.
    • The JOC Cockpit does not know the Private Key of user accounts. JOC Cockpit knows the user account's Certificate that is used to verify authentication requests.

Identity Service Configuration

The  icon in the JOC Cockpit main menu is used to select the Manage Identity Services page:


Add Identity Service

To add an Identity Service use the button Add Identity Service from the page shown above, listing the available Identity Services:


The remaining input fields for the popup window look like this:


Explanation:

  • The Identity Service Name is a unique identifier that can be freely chosen.
  • The Identity Service Type can be selected as available from the above matrix.
  • The Ordering specifies the sequence in which a login is performed with available Identity Services.
  • The Used as Second Factor checkbox specifies if the the Identity Service is used for single-factor authentication or two-factor authentication:
    • single-factor authentication: the certificate is sufficient for login with the Identity Service.
    • two-factor authentication: in addition to user account and password specified for some other Identity Service a Client Authentication Certificate is required - see the JS7 - Certificate based Authentication article for more information.

Identity Service Settings

No settings are required for the Certificate Identity Service.

JOC Cockpit Configuration

Jetty Configuration

JETTY_BASE is Jetty's base directory that is specified during the JOC Cockpit installation:

Add the following entries to the JETTY_BASE/start.d/ssl.ini configuration file:

Add HTTPS mutual authentication to Jetty
## enable use of client authentication certificates
jetty.sslContext.needClientAuth=false
jetty.sslContext.wantClientAuth=true
jetty.sslContext.endpointIdentificationAlgorithm=

Hints

  • Line 2: if needClientAuth is set to true then a Client Certificate is required. If this setting is false and the wantCientAuth setting is true then users have the option for user account/password based authentication or certificate based authentication.
  • Line 4: while this setting looks weird, it is required due to a bug in Jetty 9.4, see https://github.com/eclipse/jetty.project/issues/3466. With later releases of Jetty that fix this bug this setting is not required.

Certificate Management

Mutual authentication is based on X.509 compliant certificates. Private CA-signed Certificates and Public CA-signed Certificates can be used, for details see JS7 - How to create X.509 SSL TLS Certificates.

JOC Cockpit has to hold a certificate in its truststore that allows validation of the clients' certificate. The location of the Jetty truststore is specified with the JETTY_BASE/start.d/ssl.ini configuration file.

  • Self-signed Certificates
    • JOC Cockpit holds the client's certificate in its truststore. 
    • Each client's individual certificate is required to be in place.
  • CA signed Certificates
    • JOC Cockpit holds the CA Certificate, i.e. the Root CA Certificate/Intermediate CA Certificate(s), in its truststore.
    • Connections from any clients that use a certificate signed by the CA will be accepted.
    • This approach is more flexible as it does not require modification of the Jetty truststore when adding/removing clients.

Client Configuration

Certificate Management

Private CA-signed Certificates and Public CA-signed Certificates can be used:

  • Private CA-signed Certificates are issued by users who operate their own Private Certificate Authority (CA).
  • Public CA-signed Certificates are issued by a trusted Certificate Authority (CA) that validates the domain owner. They are not created by users but are purchased from the trusted CA and are not in scople of this article.

For use with Private CA-signed Certificates the CA Certificate has to be added to the client's certificate store. Certificates from Public CAs are frequently available from a client's keystore.

Certificate Store

The client holds its Private Key and Certificate in its keystore. 

  • The Private Key is created by the client when generating a Certificate Signing Request (CSR) that is signed by a Private CA or Public CA.
  • For CA-signed Certificates the client's certificate store includes the certificate chain, i.e. client certificate and Root CA Certificate/Intermediate CA Certificate(s) that have been used when signing the client's certificate.
  • Frequently Private Key and Certificate(s) are stored in a PKCS12 keystore that comes with a .pfx or .p12 file extension. Other file formats for Private Key and Certificate(s) are can be used.
  • The clients' keystore has to be imported into the client's certificate store. The location of the certificate store depends on the client application that is used to access JOC Cockpit:
    • Browser Clients
      • Firefox (any platform): support for use of an individual certificate store that is available with the browser, see Options -> Privacy & Security -> Certificates.
      • Chrome, Vivaldi, Edge (Windows): support for use of the Windows Certificate Store
      • Chrome, Vivaldi (Linux): support for use of an individual certificate store that is available with the browser, see Options -> Privacy
      • Chrome, Safari (Mac OS): support for use of the Mac OS Certificate Store
    • REST Clients
      • JS7 PowerShell Module (Connect-JS7): Windows, Linux, Mac OS: support for use of a PKCS12 keystore (.p12); Windows: support for use of the Windows Certificate Store.
      • Other REST Clients: REST clients implemented with programming languages or scripting languages follow individual approaches to manage a certificate store.

Certificate Encryption Algorithms

X.509 certificates with RSA or ECDSA encryption algorithms can be used.

Certificate Verification

For incoming connections from a Client, for example a browser, the Jetty servlet container that ships with JOC Cockpit will challenge the Client to present its Client Authentication Certificate.

  • Jetty will verify the Client Authentication Certificate and check if this was signed by a CA using the Root CA Certificate that is available with the Jetty truststore.
  • During login the user does not have to specify the account to be used. Instead, the Common Name (CN) entry of the Client Authentication Certificate's subject specifies the account used for login with JOC Cockpit. Consider that an exact match of the CN is required: 
    • Assume a user account: apmacwin
    • The certificate subject could look like this:

Logging

  • Log Files
  • Standard Log Files
    • Identity Services log output to the JETTY_BASE/logs/joc.log file. This includes reporting success or failure of authentication.
    • Successful and failed authentication attempts including the user accounts involved are logged to the JETTY_BASE/logs/audit.log file.
  • Debug Log Files
    • For problem analysis during the setup of an Identity Service, increase the log level as explained in the JS7 - Log Levels and Debug Options article.
    • The JETTY_BASE/logs/joc-debug.log file includes general debug output of JOC Cockpit.
    • The JETTY_BASE/logs/authentication-debug.log file includes debug output related to authentication and authorization.
    • The JETTY_BASE/logs/jetty.log file includes debug output of attempts to establish SSL connections.



  • No labels