3.3. Mutual SSL
Mutual SSL authentication, commonly referred to as x509 or two-way authentication, allows for an application developer, which is the SSL client, to authenticate to an application, which is the SSL server, and vice versa. Each side has a verification certificate, which is shared upon connection. Using mutual authentication ensures an additional level of security in your deployment, because without the approved authentication certificate a user is unable to connect to the SSL server.
If your system administrator has configured an OpenShift Enterprise deployment to require mutual SSL authentication, you must configure the client tools on your workstation to be able to make connections with that deployment. Contact your system administrator for details about the deployment's authentication requirements, or see the OpenShift Enterprise Deployment Guide for more information.
Procedure 3.1. To Configure the Client Tools for Mutual SSL Authentication:
- Mutual SSL authentication requires the current version of the OpenShift client tools. Ensure your client tools are up to date using the method you used to install them. See the OpenShift Enterprise Client Tools Installation Guide for details.
- If you are only connecting to one OpenShift Enterprise server, you can add the following to the
~/.openshift/express.conffile on the workstation where the client tools are installed:
path/to/certificate/keyfileinsecure=false use_authorization_tokens=true libra_server=broker.example.comAlternatively, you can perform the same configuration from the command line using the
rhc setup --ssl-client-cert-file
path/to/SSLCA/certificate/fileIf you are using your client tools to manage accounts for multiple OpenShift servers, you can use the
rhc servercommand instead:
rhc server add broker.example.com --nickname Server_Nickname --ssl-client-cert-file
path/to/SSLCA/certificate/fileSee Chapter 4, Multiple OpenShift Servers for general information on managing and switching between accounts for multiple OpenShift servers.