[MarkLogic Dev General] Secure Application-to-Application communication

Wayne Feick wayne.feick at marklogic.com
Sun Mar 18 10:46:36 PDT 2012


Hi Ryan,

It's fairly easy to do what you want (at least from the point of view of 
the guy who did all the SSL work in our server ;-) ).

1. You'll need to have the certificate authority's certificate in the 
security database so that it is trusted. You can import it via the Admin 
UI at Security -> Certificate Authorities -> Import. You can also use 
pki:insert-trusted-certificates() running against the security database.

2. Configure the app server to use SSL. You said you already can do 
this, so I'll not say too much about this other than the important bit 
for this use case.

You're already familiar with the selection of an SSL certificate 
template at the bottom of the app server configuration page in the Admin 
UI. Below that there is true/false configuration for "ssl require client 
certificate". Make sure it's set to true. Just below that is "ssl client 
certificate authorities". Click on "Show" and you'll see all the trusted 
certificate authority organizations. Find the one you just added, click 
on it, and select the authority you added.

This causes the app server to request a client certificate signed by the 
selected authority (you can select multiple authorities if you wish) and 
the "ssl require client certificate = true" setting means it will reject 
any requests that don't provide a client certificate.

You can also use the admin API for this: 
admin:appserver-set-ssl-require-client-certificate(), 
admin:appserver-set-ssl-client-certificate-authorities(), using 
information from pki:get-trusted-certificate-ids() and 
pki:get-certificates().

3. The XQuery client requests need to specify their client certificates. 
This is done through the options node described in the xdmp:http-get() 
documentation.

    xdmp:http-get(
       "https://srvr.acme.com/",
       <options xmlns="http:get">
         <client-cert>{$pem-encoded-client-certificate}</client-cert>
         <client-key>{$pem-encoded-client-certificate-private-key}</client-cert>
         <pass-phrase>{$pass-phrase-for-client-key-if-needed}</pass-phrase>
       </options>)

4. On the server side, you may want to inspect the client certificate 
and validate it. I usually do this in a URL rewriter so it is applied to 
every page.

    let $pem-encoded-client-certificate as xs:string? :=
       xdmp:get-request-client-certificate()
    let $xml-form-of-client-certificate :=
       xdmp:x509-certificate-extract($pem-encode-client-certificate)

5. If you revoke any certificates for the authority, you can use 
pki:insert-certificate-revocation-list() against your security database. 
It stores either a PEM or DER encoded certificate revocation list into 
the database corresponding to the URL.

We've also used this pattern to automatically log people in based on a 
client certificate; you just need to match information from the 
certificate to a user in the security database.

Let me know if you have any other questions.

Wayne.


On 03/17/2012 05:42 PM, semerau at hotmail.com wrote:
> I am looking to set up web services on an app server in one MarkLogic 
> cluster that will be called by another app server in a different 
> MarkLogic cluster. I would like to set it up so that the servers are 
> configured to only accept connections from each other.
>
> The connections will not be ad hoc so I would prefer to install certs 
> or public keys for all apps on all the clusters. I would rather not 
> have to log into the remote cluster all the time but let the servers 
> trust the connections to the other servers, and let each server handle 
> it's own user authentication, but yet have a trusted connections to 
> remote servers.
>
> The communication will be going "out in the wild" so I can't secure 
> the networking connection (as with a VPN) between the servers so I'll 
> need to use SSL for the protocol. This does not need to be an 
> extremely fast connection because it's more of a command and control 
> scenario, and each cluster will operate independently from each other 
> and just periodically pass data and commands back and forth. The web 
> service is what exposes the interaction between them, and not anything 
> lower level like data replication.
>
> So my questions are:
>
> 1. How do I set up one App Server (listening for web service requests) 
> to only accept requests from previously configured remote clients and 
> which are using the correct certs\keys?
>
> 2. How do I code the client side call in XQuery to pass the 
> appropriate certs\key info to the other server and reject the 
> connection if the server has the wrong certs\keys?
>
> I know how to set up SSL on a server when a browser is involved, but 
> I'm not real clear how to do this when another MarkLogic app server is 
> involved as the client. I tried setting something up but both the 
> server and client seem to accept any connection and any certs so I 
> don't think I'm doing it securely enough.
>
> thanks,
> -Ryan

-- 
Wayne Feick
Principal Engineer
MarkLogic Corporation
Wayne.Feick at marklogic.com
Phone: +1 650 655 2378
www.marklogic.com

This e-mail and any accompanying attachments are confidential. The information is intended solely for the use of the individual to whom it is addressed. Any review, disclosure, copying, distribution, or use of this e-mail communication by others is strictly prohibited. If you are not the intended recipient, please notify us immediately by returning this message to the sender and delete all copies. Thank you for your cooperation.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://developer.marklogic.com/pipermail/general/attachments/20120318/8265c74c/attachment.html 


More information about the General mailing list