3.3. Mutual SSL

Mutual SSL authentication, commonly referred to as x509 or two-way authentication, allows for an application developer, which is the SSL client, to authenticate to an application, which is the SSL server, and vice versa. Each side has a verification certificate, which is shared upon connection. Using mutual authentication ensures an additional level of security in your deployment, because without the approved authentication certificate a user is unable to connect to the SSL server.
If your system administrator has configured an OpenShift Enterprise deployment to require mutual SSL authentication, you must configure the client tools on your workstation to be able to make connections with that deployment. Contact your system administrator for details about the deployment's authentication requirements, or see the OpenShift Enterprise Deployment Guide for more information.

Procedure 3.1. To Configure the Client Tools for Mutual SSL Authentication:

  1. Mutual SSL authentication requires the current version of the OpenShift client tools. Ensure your client tools are up to date using the method you used to install them. See the OpenShift Enterprise Client Tools Installation Guide for details.
  2. If you are only connecting to one OpenShift Enterprise server, you can add the following to the ~/.openshift/express.conf file on the workstation where the client tools are installed: 
    ssl_ca_file=path/to/SSLCA/certificate/file
ssl_client_cert_file=path/to/SSL/certificate/file
ssl_client_key_file=path/to/certificate/keyfile
insecure=false
use_authorization_tokens=true
libra_server=broker.example.com
    Alternatively, you can perform the same configuration from the command line using the rhc setup command: 
    # rhc setup --ssl-client-cert-file path/to/SSL/certificate/file --ssl-client-key-file path/to/certificate/keyfile --ssl-ca-file path/to/SSLCA/certificate/file
    If you are using your client tools to manage accounts for multiple OpenShift servers, you can use the rhc server command instead: 
    # rhc server add broker.example.com --nickname Server_Nickname --ssl-client-cert-file path/to/SSL/certificate/file --ssl-client-key-file path/to/certificate/keyfile --ssl-ca-file path/to/SSLCA/certificate/file
    See Chapter 4, Multiple OpenShift Servers for general information on managing and switching between accounts for multiple OpenShift servers.