|
| 1 | +# Mutual authentication |
| 2 | + |
| 3 | +In TLS client authentication, a server requests a valid certificate from the client for authentication and ensures that it is only accessible by authorized machines and users. Server authentication allows a client to verify the authenticity of the web server that it is accessing. |
| 4 | + |
| 5 | +In mutual authentication, two sides of a communication channel verify the identity of each other instead of only one side verifying the other. Hence, when you use mutual authentication a client and a server independently verifies the identity of each other, instead of only the client authenticating the server or vice versa. |
| 6 | + |
| 7 | +Perform the following steps to apply mutual authentication for Ingress: |
| 8 | + |
| 9 | +1. Enable the default SSL profile on Citrix ADC. |
| 10 | + |
| 11 | + set ssl parameter -defaultProfile ENABLED |
| 12 | + |
| 13 | + **Note:** Make sure that Citrix ingress controller is restarted after enabling the default profile. |
| 14 | + |
| 15 | +2. Download the [mutual-auth.yaml](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/example/mutual-auth.yaml) file. This YAML file contains the Ingress resource definition and the SSL annotations. |
| 16 | + |
| 17 | + The contents of the YAML is as follows: |
| 18 | + |
| 19 | + ```yml |
| 20 | + apiVersion: networking.k8s.io/v1 |
| 21 | + kind: Ingress |
| 22 | + metadata: |
| 23 | + annotations: |
| 24 | + ingress.citrix.com/frontend-ip: "A.B.C.D" |
| 25 | + kubernetes.io/ingress.class: "citrix" |
| 26 | + ingress.citrix.com/frontend-sslprofile: '{"clientauth": "enabled", "sni": "enabled" }' |
| 27 | + ingress.citrix.com/secure_backend: '{"apache": "True"}' |
| 28 | + ingress.citrix.com/backend-sslprofile: '{"apache":{"serverauth": "enabled", "sni": "enabled"}}' |
| 29 | + ingress.citrix.com/ca-secret: '{"apache": "tls-ca"}' |
| 30 | + ingress.citrix.com/backend-secret: '{"apache": "wildcard-secret"}' |
| 31 | + ingress.citrix.com/backend-ca-secret: '{"apache": "tls-ca"}' |
| 32 | + name: web-ingress |
| 33 | + spec: |
| 34 | + tls: |
| 35 | + - secretName: wildcard-secret |
| 36 | + hosts: |
| 37 | + - "www.guestbook.com" |
| 38 | + rules: |
| 39 | + - host: "www.guestbook.com" |
| 40 | + http: |
| 41 | + paths: |
| 42 | + - backend: |
| 43 | + service: |
| 44 | + name: apache |
| 45 | + port: |
| 46 | + number: 443 |
| 47 | + path: / |
| 48 | + pathType: ImplementationSpecific |
| 49 | + ``` |
| 50 | + |
| 51 | + In this example: |
| 52 | + |
| 53 | + - An application named `apache` is used as the back-end service. You can replace it with the application that you are using. |
| 54 | + |
| 55 | + - `wildcard-secret` is the associated Kubernetes secret holding the client certificate. This certificate is used when Citrix ADC acts as a client to send the request to the back end Apache service. |
| 56 | + |
| 57 | + - The `tls-ca` secret holds the CA certificate that is used for verification of the client |
| 58 | +certificate |
| 59 | + |
| 60 | + - Specify the virtual IP address in the `ingress.citrix.com/frontend-ip` annotation. |
| 61 | + |
| 62 | + - authSNI needs to be enabled in the back-end and front-end SSL profile annotations for host name matching during the SSL handshake. |
| 63 | + |
| 64 | + - The `hosts` field should be populated with the appropriate DNS or FQDN that is used for matching the SNI. |
| 65 | + |
| 66 | +1. Edit the YAML to specify the appropriate IP address, service, and secrets. |
| 67 | + |
| 68 | + kubectl apply -f mutual-auth.yaml |
| 69 | + |
| 70 | +## Additional information |
| 71 | + |
| 72 | + The following SSL related annotations are used in this example. For detailed information on these annotations, see [annotations](https://docs.citrix.com/en-us/citrix-k8s-ingress-controller/configure/annotations.html). |
| 73 | + |
| 74 | +- `ingress.citrix.com/frontend-sslprofile` : Creates the front end profile applicable to the entity that receives requests from a client. |
| 75 | + |
| 76 | +- `ingress.citrix.com/backend-sslprofile`: Creates the back-end SSL profile (server plane). |
| 77 | + |
| 78 | +- `ingress.citrix.com/secure-backend: "True"`: Enables secure back end communication to the service. |
| 79 | + |
| 80 | +- `ingress.citrix.com/ca-secret`: Provides a CA certificate for the client certificate verification. This certificate is bound to the front-end SSL virtual server in Citrix ADC. |
| 81 | + |
| 82 | +- `ingress.citrix.com/backend-secret`: Use this annotation if the back-end communication between the Citrix ADC and your workload is on an encrypted channel, and you need the client authentication in your workload. This annotation is bound to the back end SSL service group. |
| 83 | + |
| 84 | +- `ingress.citrix.com/backend-ca-secret`: Enables server authentication which authenticates the back-end server certificate. This configuration binds the CA certificate of the server to the SSL service on the Citrix ADC. |
0 commit comments